Chiebot-Mirror
/
FFmpeg
mirror of https://github.com/FFmpeg/FFmpeg.git
8
0
Fork 0
Code Issues Projects Releases Wiki Activity

avcodec/flicvideo: consider width in copy loops

Browse Source 
Fixes: out of array write
Fixes: 63520/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FLIC_fuzzer-4876198087622656
Regression since: c7f8d42c12 (was not posted to ffmpeg-devel)

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Sean McGovern <gseanmcg@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
release/7.0
Michael Niedermayer 1 year ago
parent c0a18e884c
commit 03a4aa9699
No known key found for this signature in database
GPG Key ID: B18E8928B3948D64
1 changed files with 3 additions and 3 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 6
      libavcodec/flicvideo.c

6
libavcodec/flicvideo.c
Unescape View File

@ -642,7 +642,7 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx,
"has incorrect size, skipping chunk\n", chunk_size - 6);
bytestream2_skip(&g2, chunk_size - 6);
} else {
for (y_ptr = 0; check_pixel_ptr(y_ptr, 0, pixel_limit, direction) == 0;
for (y_ptr = 0; check_pixel_ptr(y_ptr, s->avctx->width, pixel_limit, direction) == 0;
y_ptr += s->frame->linesize[0]) {
bytestream2_get_buffer(&g2, &pixels[y_ptr],
s->avctx->width);
@ -949,7 +949,7 @@ static int flic_decode_frame_15_16BPP(AVCodecContext *avctx,
if (bytestream2_get_bytes_left(&g2) < 2 * s->avctx->width * s->avctx->height )
return AVERROR_INVALIDDATA;
for (y_ptr = 0; check_pixel_ptr(y_ptr, 0, pixel_limit, direction) == 0;
for (y_ptr = 0; check_pixel_ptr(y_ptr, 2*s->avctx->width, pixel_limit, direction) == 0;
y_ptr += s->frame->linesize[0]) {
pixel_countdown = s->avctx->width;
@ -1235,7 +1235,7 @@ static int flic_decode_frame_24BPP(AVCodecContext *avctx,
"bigger than image, skipping chunk\n", chunk_size - 6);
bytestream2_skip(&g2, chunk_size - 6);
} else {
for (y_ptr = 0; check_pixel_ptr(y_ptr, 0, pixel_limit, direction) == 0;
for (y_ptr = 0; check_pixel_ptr(y_ptr, 3*s->avctx->width, pixel_limit, direction) == 0;
y_ptr += s->frame->linesize[0]) {
bytestream2_get_buffer(&g2, pixels + y_ptr, 3*s->avctx->width);

Write Preview
Loading…
Cancel
Save