avcodec/pngdec: Fix off by 1 size in decode_zbuf()

Fixes out of array access Fixes: 444/fuzz-2-ffmpeg_VIDEO_AV_CODEC_ID_PNG_fuzzer Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpegSigned-off-by: Michael Niedermayer <michael@niedermayer.cc>

avcodec/pngdec: Fix off by 1 size in decode_zbuf()
Fixes out of array access Fixes: 444/fuzz-2-ffmpeg_VIDEO_AV_CODEC_ID_PNG_fuzzer Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpegSigned-off-by: Michael Niedermayer <michael@niedermayer.cc>
e371f031 · Michael Niedermayer · a0341b4d · e371f031
Commit e371f031 authored Jan 23, 2017 by Michael Niedermayer
Hide whitespace changes
Inline Side-by-side

Showing with 3 additions and 3 deletions

pngdec.c libavcodec/pngdec.c +3 -3

No files found.
--- a/libavcodec/pngdec.c
+++ b/libavcodec/pngdec.c
@@ -437,13 +437,13 @@ static int decode_zbuf(AVBPrint *bp, const uint8_t *data,
    av_bprint_init(bp, 0, -1);
    while (zstream.avail_in > 0) {
-        av_bprint_get_buffer(bp, 1, &buf, &buf_size);
+        av_bprint_get_buffer(bp, 2, &buf, &buf_size);
-        if (!buf_size) {
+        if (buf_size < 2) {
            ret = AVERROR(ENOMEM);
            goto fail;
        }
        zstream.next_out  = buf;
-        zstream.avail_out = buf_size;
+        zstream.avail_out = buf_size - 1;
        ret = inflate(&zstream, Z_PARTIAL_FLUSH);
        if (ret != Z_OK && ret != Z_STREAM_END) {
            ret = AVERROR_EXTERNAL;