diff options
author | Michael Niedermayer <michael@niedermayer.cc> | 2018-05-05 22:00:01 +0200 |
---|---|---|
committer | Michael Niedermayer <michael@niedermayer.cc> | 2018-05-17 02:23:06 +0200 |
commit | cb2f7ea96b4f6e03ebf0c0563677745fc65f148e (patch) | |
tree | 9b2ffd02fb7e564721aa9fe2d7c62268f35bbf04 | |
parent | c6a11714c4b1227be62cbc36651ccfc415e8e623 (diff) | |
download | ffmpeg-cb2f7ea96b4f6e03ebf0c0563677745fc65f148e.tar.gz |
avcodec/fic: Check available input space for cursor
Fixes: out of array read
Fixes: 6546/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FIC_fuzzer-6317064647081984
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
-rw-r--r-- | libavcodec/fic.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/libavcodec/fic.c b/libavcodec/fic.c index 7f70ee47e6..c288c9771b 100644 --- a/libavcodec/fic.c +++ b/libavcodec/fic.c @@ -338,6 +338,10 @@ static int fic_decode_frame(AVCodecContext *avctx, void *data, skip_cursor = 1; } + if (!skip_cursor && avpkt->size < CURSOR_OFFSET + sizeof(ctx->cursor_buf)) { + skip_cursor = 1; + } + /* Slice height for all but the last slice. */ ctx->slice_h = 16 * (ctx->aligned_height >> 4) / nslices; if (ctx->slice_h % 16) |