Commit cb2f7ea9 authored by Michael Niedermayer's avatar Michael Niedermayer

avcodec/fic: Check available input space for cursor

Fixes: out of array read
Fixes: 6546/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_FIC_fuzzer-6317064647081984

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpegSigned-off-by: 's avatarMichael Niedermayer <michael@niedermayer.cc>
parent c6a11714
...@@ -338,6 +338,10 @@ static int fic_decode_frame(AVCodecContext *avctx, void *data, ...@@ -338,6 +338,10 @@ static int fic_decode_frame(AVCodecContext *avctx, void *data,
skip_cursor = 1; skip_cursor = 1;
} }
if (!skip_cursor && avpkt->size < CURSOR_OFFSET + sizeof(ctx->cursor_buf)) {
skip_cursor = 1;
}
/* Slice height for all but the last slice. */ /* Slice height for all but the last slice. */
ctx->slice_h = 16 * (ctx->aligned_height >> 4) / nslices; ctx->slice_h = 16 * (ctx->aligned_height >> 4) / nslices;
if (ctx->slice_h % 16) if (ctx->slice_h % 16)
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment