Re: [FFmpeg-devel] [PATCH 1/3] avcodec/cdtoons: Check sprite_offset is within the packet
On Mon, May 11, 2020 at 11:12:45PM +0200, Paul B Mahol wrote: > probably ok will apply thx [...] -- Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB If you drop bombs on a foreign country and kill a hundred thousand innocent people, expect your government to call the consequence "unprovoked inhuman terrorist attacks" and use it to justify dropping more bombs and killing more people. The technology changed, the idea is old. signature.asc Description: PGP signature ___ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
Re: [FFmpeg-devel] [PATCH 1/3] avcodec/cdtoons: Check sprite_offset is within the packet
probably ok On 5/11/20, Michael Niedermayer wrote: > Fixes: out of array read > Fixes: > 20659/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CDTOONS_fuzzer-5754518731227136 > > Found-by: continuous fuzzing process > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > Signed-off-by: Michael Niedermayer > --- > libavcodec/cdtoons.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/libavcodec/cdtoons.c b/libavcodec/cdtoons.c > index 13f9a60f0f..a8609815c1 100644 > --- a/libavcodec/cdtoons.c > +++ b/libavcodec/cdtoons.c > @@ -190,6 +190,9 @@ static int cdtoons_decode_frame(AVCodecContext *avctx, > void *data, > palette_set= bytestream_get_byte(); > buf += 5; > > +if (sprite_offset > buf_size) > +return AVERROR_INVALIDDATA; > + > /* read new sprites introduced in this frame */ > buf = avpkt->data + sprite_offset; > while (sprite_count--) { > -- > 2.17.1 > > ___ > ffmpeg-devel mailing list > ffmpeg-devel@ffmpeg.org > https://ffmpeg.org/mailman/listinfo/ffmpeg-devel > > To unsubscribe, visit link above, or email > ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe". ___ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
[FFmpeg-devel] [PATCH 1/3] avcodec/cdtoons: Check sprite_offset is within the packet
Fixes: out of array read Fixes: 20659/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CDTOONS_fuzzer-5754518731227136 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavcodec/cdtoons.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/cdtoons.c b/libavcodec/cdtoons.c index 13f9a60f0f..a8609815c1 100644 --- a/libavcodec/cdtoons.c +++ b/libavcodec/cdtoons.c @@ -190,6 +190,9 @@ static int cdtoons_decode_frame(AVCodecContext *avctx, void *data, palette_set= bytestream_get_byte(); buf += 5; +if (sprite_offset > buf_size) +return AVERROR_INVALIDDATA; + /* read new sprites introduced in this frame */ buf = avpkt->data + sprite_offset; while (sprite_count--) { -- 2.17.1 ___ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".