On 2017-08-16 05:04, Michael Niedermayer wrote:
Fixes: OOM
Fixes: 2710/clusterfuzz-testcase-minimized-4750001420894208
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc>
---
libavcodec/zmbv.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/libavcodec/zmbv.c b/libavcodec/zmbv.c
index f126515bd1..861098a0f2 100644
--- a/libavcodec/zmbv.c
+++ b/libavcodec/zmbv.c
@@ -589,8 +589,12 @@ static av_cold int decode_init(AVCodecContext *avctx)
// Needed if zlib unused or init aborted before inflateInit
memset(&c->zstream, 0, sizeof(z_stream));
- c->decomp_size = (avctx->width + 255) * 4 * (avctx->height + 64);
+ if ((avctx->width + 255ULL) * (avctx->height + 64ULL) > avctx->max_pixels)
{
Are width and height constrained somewhere? If both end up around 1<<32
then the multiplication can overflow.
+ av_log(avctx, AV_LOG_ERROR, "Internal buffer larger than
max_pixels\n");
+ return AVERROR_INVALIDDATA;
+ }
+ c->decomp_size = (avctx->width + 255) * 4 * (avctx->height + 64);
Use 255ULL and 64ULL maybe? It's almost conceivable that you could have
a file constructed to be (1<<31 - 255)x1 that passes the max_pixels check
/Tomas
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
