cdtoons: Check sprite_offset is within the packet

Michael Niedermayer Mon, 11 May 2020 13:32:46 -0700

Fixes: out of array read
Fixes: 
20659/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CDTOONS_fuzzer-5754518731227136


Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc>
---
 libavcodec/cdtoons.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/libavcodec/cdtoons.c b/libavcodec/cdtoons.c
index 13f9a60f0f..a8609815c1 100644
--- a/libavcodec/cdtoons.c
+++ b/libavcodec/cdtoons.c
@@ -190,6 +190,9 @@ static int cdtoons_decode_frame(AVCodecContext *avctx, void 
*data,
     palette_set        = bytestream_get_byte(&buf);
     buf               += 5;
 
+    if (sprite_offset > buf_size)
+        return AVERROR_INVALIDDATA;
+
     /* read new sprites introduced in this frame */
     buf = avpkt->data + sprite_offset;
     while (sprite_count--) {
-- 
2.17.1

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".

[FFmpeg-devel] [PATCH 1/3] avcodec/cdtoons: Check sprite_offset is within the packet

Reply via email to