Commit bf0ba75c authored by Michael Niedermayer's avatar Michael Niedermayer

avcodec/sunrast: Check that the input is large enough for the maximally compressed image

Fixes: Timeout (17sec -> 15ms)
Fixes: 17224/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SUNRAST_fuzzer-5663218491457536
Fixes: 17224/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SUNRAST_fuzzer-5735590015795200

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpegSigned-off-by: 's avatarMichael Niedermayer <michael@niedermayer.cc>
parent 711ad71a
...@@ -100,7 +100,11 @@ static int sunrast_decode_frame(AVCodecContext *avctx, void *data, ...@@ -100,7 +100,11 @@ static int sunrast_decode_frame(AVCodecContext *avctx, void *data,
if (ret < 0) if (ret < 0)
return ret; return ret;
if (buf_end - buf < maplength) /* scanlines are aligned on 16 bit boundaries */
len = (depth * w + 7) >> 3;
alen = len + (len & 1);
if (buf_end - buf < maplength + (len * h) * 3 / 256)
return AVERROR_INVALIDDATA; return AVERROR_INVALIDDATA;
if ((ret = ff_get_buffer(avctx, p, 0)) < 0) if ((ret = ff_get_buffer(avctx, p, 0)) < 0)
...@@ -136,10 +140,6 @@ static int sunrast_decode_frame(AVCodecContext *avctx, void *data, ...@@ -136,10 +140,6 @@ static int sunrast_decode_frame(AVCodecContext *avctx, void *data,
stride = p->linesize[0]; stride = p->linesize[0];
} }
/* scanlines are aligned on 16 bit boundaries */
len = (depth * w + 7) >> 3;
alen = len + (len & 1);
if (type == RT_BYTE_ENCODED) { if (type == RT_BYTE_ENCODED) {
int value, run; int value, run;
uint8_t *end = ptr + h * stride; uint8_t *end = ptr + h * stride;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment