Commit 56e2cd9c authored by Mark Harris's avatar Mark Harris Committed by Michael Niedermayer

avformat/icodec: Fix crash probing fuzzed file

Avoid invalid memory read/crash when frame offset >= 0xfffffff8.
Base64-encoded example: AAABADAwMDAwMAAAMAAwMDAw/P///w==
(The previous commit verifies that p->buf_size >= 22.)
Signed-off-by: 's avatarMichael Niedermayer <michael@niedermayer.cc>
parent 1b4fbf80
...@@ -63,7 +63,7 @@ static int probe(AVProbeData *p) ...@@ -63,7 +63,7 @@ static int probe(AVProbeData *p)
offset = AV_RL32(p->buf + 18 + i * 16); offset = AV_RL32(p->buf + 18 + i * 16);
if (offset < 22) if (offset < 22)
return FFMIN(i, AVPROBE_SCORE_MAX / 4); return FFMIN(i, AVPROBE_SCORE_MAX / 4);
if (offset + 8 > p->buf_size) if (offset > p->buf_size - 8)
continue; continue;
if (p->buf[offset] != 40 && AV_RB64(p->buf + offset) != PNGSIG) if (p->buf[offset] != 40 && AV_RB64(p->buf + offset) != PNGSIG)
return FFMIN(i, AVPROBE_SCORE_MAX / 4); return FFMIN(i, AVPROBE_SCORE_MAX / 4);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment