On Thu, 11 May 2017 13:01:36 +0200 Michael Niedermayer <mich...@niedermayer.cc> wrote:
> Fixes: 1293/clusterfuzz-testcase-minimized-6054752074858496 > > Found-by: continuous fuzzing process > https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg > Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc> > --- > libavcodec/avcodec.h | 8 ++++++++ > libavcodec/avpacket.c | 5 ++++- > 2 files changed, 12 insertions(+), 1 deletion(-) > > diff --git a/libavcodec/avcodec.h b/libavcodec/avcodec.h > index df6d2bc748..173c083a86 100644 > --- a/libavcodec/avcodec.h > +++ b/libavcodec/avcodec.h > @@ -1593,6 +1593,14 @@ enum AVPacketSideDataType { > * AVContentLightMetadata struct. > */ > AV_PKT_DATA_CONTENT_LIGHT_LEVEL, > + > + /** > + * The number of side data elements (in fact a bit more than it). > + * This is not part of the public API/ABI in the sense that it may > + * change when new side data types are added. > + * This must stay the last enum value. > + */ > + AV_PKT_DATA_NB, > }; OK I guess. > #define AV_PKT_DATA_QUALITY_FACTOR AV_PKT_DATA_QUALITY_STATS //DEPRECATED > diff --git a/libavcodec/avpacket.c b/libavcodec/avpacket.c > index 369dd78208..200ba99f34 100644 > --- a/libavcodec/avpacket.c > +++ b/libavcodec/avpacket.c > @@ -298,7 +298,7 @@ int av_packet_add_side_data(AVPacket *pkt, enum > AVPacketSideDataType type, > AVPacketSideData *tmp; > int elems = pkt->side_data_elems; > > - if ((unsigned)elems + 1 > INT_MAX / sizeof(*pkt->side_data)) > + if ((unsigned)elems + 1 > FFMIN(INT_MAX / sizeof(*pkt->side_data), > AV_PKT_DATA_NB)) Does the FFMIN and the old expression on the right side still have any function? > return AVERROR(ERANGE); > > tmp = av_realloc(pkt->side_data, (elems + 1) * sizeof(*tmp)); > @@ -437,6 +437,9 @@ int av_packet_split_side_data(AVPacket *pkt){ > p-= size+5; > } > > + if (i > AV_PKT_DATA_NB) > + return AVERROR(ERANGE); > + > pkt->side_data = av_malloc_array(i, sizeof(*pkt->side_data)); > if (!pkt->side_data) > return AVERROR(ENOMEM); _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-devel