Commit a6099057 authored by Michael Niedermayer's avatar Michael Niedermayer

avcodec/movtextdec: Fix tsmb_size check==0 check

Fixes: 173/fuzz-3-ffmpeg_SUBTITLE_AV_CODEC_ID_MOV_TEXT_fuzzer

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpegSigned-off-by: 's avatarMichael Niedermayer <michael@niedermayer.cc>
parent 6ea27157
...@@ -471,10 +471,6 @@ static int mov_text_decode_frame(AVCodecContext *avctx, ...@@ -471,10 +471,6 @@ static int mov_text_decode_frame(AVCodecContext *avctx,
tsmb_type = AV_RB32(tsmb); tsmb_type = AV_RB32(tsmb);
tsmb += 4; tsmb += 4;
if (tsmb_size == 0) {
return AVERROR_INVALIDDATA;
}
if (tsmb_size == 1) { if (tsmb_size == 1) {
if (m->tracksize + 16 > avpkt->size) if (m->tracksize + 16 > avpkt->size)
break; break;
...@@ -485,6 +481,10 @@ static int mov_text_decode_frame(AVCodecContext *avctx, ...@@ -485,6 +481,10 @@ static int mov_text_decode_frame(AVCodecContext *avctx,
m->size_var = 8; m->size_var = 8;
//size_var is equal to 8 or 16 depending on the size of box //size_var is equal to 8 or 16 depending on the size of box
if (tsmb_size == 0) {
return AVERROR_INVALIDDATA;
}
if (tsmb_size > avpkt->size - m->tracksize) if (tsmb_size > avpkt->size - m->tracksize)
break; break;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment