starred/ffmpeg-rockchip-nyanmisaka-1
1
0
Fork 0
mirror of https://github.com/nyanmisaka/ffmpeg-rockchip.git synced 2026-01-23 18:11:11 +01:00
Code Issues Projects Packages Wiki Activity Actions

avcodec/flicvideo: consider width in copy loops

Browse source 
Fixes: out of array write
Fixes: 63520/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FLIC_fuzzer-4876198087622656
Regression since: c7f8d42c12 (was not posted to ffmpeg-devel)

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Sean McGovern <gseanmcg@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 03a4aa9699)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
Michael Niedermayer 2023-11-03 00:10:02 +01:00
parent 2929465718
commit 962d667964
No known key found for this signature in database
GPG key ID: B18E8928B3948D64
1 changed files with 3 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

6
libavcodec/flicvideo.c
View file

@ -642,7 +642,7 @@ static int flic_decode_frame_8BPP(AVCodecContext *avctx,
"has incorrect size, skipping chunk\n", chunk_size - 6);
bytestream2_skip(&g2, chunk_size - 6);
} else {
for (y_ptr = 0; check_pixel_ptr(y_ptr, 0, pixel_limit, direction) == 0;
for (y_ptr = 0; check_pixel_ptr(y_ptr, s->avctx->width, pixel_limit, direction) == 0;
y_ptr += s->frame->linesize[0]) {
bytestream2_get_buffer(&g2, &pixels[y_ptr],
s->avctx->width);
@ -949,7 +949,7 @@ static int flic_decode_frame_15_16BPP(AVCodecContext *avctx,
if (bytestream2_get_bytes_left(&g2) < 2 * s->avctx->width * s->avctx->height )
return AVERROR_INVALIDDATA;
for (y_ptr = 0; check_pixel_ptr(y_ptr, 0, pixel_limit, direction) == 0;
for (y_ptr = 0; check_pixel_ptr(y_ptr, 2*s->avctx->width, pixel_limit, direction) == 0;
y_ptr += s->frame->linesize[0]) {
pixel_countdown = s->avctx->width;
@ -1235,7 +1235,7 @@ static int flic_decode_frame_24BPP(AVCodecContext *avctx,
"bigger than image, skipping chunk\n", chunk_size - 6);
bytestream2_skip(&g2, chunk_size - 6);
} else {
for (y_ptr = 0; check_pixel_ptr(y_ptr, 0, pixel_limit, direction) == 0;
for (y_ptr = 0; check_pixel_ptr(y_ptr, 3*s->avctx->width, pixel_limit, direction) == 0;
y_ptr += s->frame->linesize[0]) {
bytestream2_get_buffer(&g2, pixels + y_ptr, 3*s->avctx->width);