diff options
| author | Michael Niedermayer <michael@niedermayer.cc> | 2018-09-03 23:42:22 +0200 |
|---|---|---|
| committer | Michael Niedermayer <michael@niedermayer.cc> | 2018-09-12 00:52:01 +0200 |
| commit | 4356e03fd651b0f2b9463c4bfee3d9ec5d819d61 (patch) | |
| tree | bf319617804575d97292ef22e8a9368cb69b1370 /libavcodec/pnm_parser.c | |
| parent | 74af6ae02100ff05f8a09fde5db4cd06509cdfba (diff) | |
| download | ffmpeg-4356e03fd651b0f2b9463c4bfee3d9ec5d819d61.tar.gz | |
libavcodec/pnm_parser: do not lose skipped parts in reporting of how much was consumed
Fixes: Timeout
Fixes: 9759/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PPM_fuzzer-5655277650051072
Fixes: 9753/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PGMYUV_fuzzer-5764378543521792
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Diffstat (limited to 'libavcodec/pnm_parser.c')
| -rw-r--r-- | libavcodec/pnm_parser.c | 13 |
1 files changed, 7 insertions, 6 deletions
diff --git a/libavcodec/pnm_parser.c b/libavcodec/pnm_parser.c index 4bcd0ddd5d..9bf1fdcece 100644 --- a/libavcodec/pnm_parser.c +++ b/libavcodec/pnm_parser.c @@ -32,6 +32,7 @@ static int pnm_parse(AVCodecParserContext *s, AVCodecContext *avctx, ParseContext *pc = s->priv_data; PNMContext pnmctx; int next; + int skip = 0; for (; pc->overread > 0; pc->overread--) { pc->buffer[pc->index++]= pc->buffer[pc->overread_index++]; @@ -43,8 +44,8 @@ retry: pnmctx.bytestream_end = pc->buffer + pc->index; } else { pnmctx.bytestream_start = - pnmctx.bytestream = (uint8_t *) buf; /* casts avoid warnings */ - pnmctx.bytestream_end = (uint8_t *) buf + buf_size; + pnmctx.bytestream = (uint8_t *) buf + skip; /* casts avoid warnings */ + pnmctx.bytestream_end = (uint8_t *) buf + buf_size - skip; } if (ff_pnm_decode_header(avctx, &pnmctx) < 0) { if (pnmctx.bytestream < pnmctx.bytestream_end) { @@ -52,8 +53,8 @@ retry: pc->index = 0; } else { unsigned step = FFMAX(1, pnmctx.bytestream - pnmctx.bytestream_start); - buf += step; - buf_size -= step; + + skip += step; } goto retry; } @@ -61,9 +62,9 @@ retry: } else if (pnmctx.type < 4) { next = END_NOT_FOUND; } else { - next = pnmctx.bytestream - pnmctx.bytestream_start + next = pnmctx.bytestream - pnmctx.bytestream_start + skip + av_image_get_buffer_size(avctx->pix_fmt, avctx->width, avctx->height, 1); - if (pnmctx.bytestream_start != buf) + if (pnmctx.bytestream_start != buf + skip) next -= pc->index; if (next > buf_size) next = END_NOT_FOUND; |