Browse code
avcodec/snowdec: Check width
Fixes: out of array read
Fixes: 1419/clusterfuzz-testcase-minimized-6108700873850880
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 78aa93807b3e0674e34d32c0bf6f78d7f5b7927e)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Michael Niedermayer authored on 2017/05/09 23:08:14Showing 1 changed files
| ... | ... |
@@ -384,6 +384,10 @@ static int decode_header(SnowContext *s){
|
| 384 | 384 |
av_log(s->avctx, AV_LOG_ERROR, "spatial_decomposition_count %d too large for size\n", s->spatial_decomposition_count); |
| 385 | 385 |
return AVERROR_INVALIDDATA; |
| 386 | 386 |
} |
| 387 |
+ if (s->avctx->width > 65536-4) {
|
|
| 388 |
+ av_log(s->avctx, AV_LOG_ERROR, "Width %d is too large\n", s->avctx->width); |
|
| 389 |
+ return AVERROR_INVALIDDATA; |
|
| 390 |
+ } |
|
| 387 | 391 |
|
| 388 | 392 |
|
| 389 | 393 |
s->qlog += get_symbol(&s->c, s->header_state, 1); |