Browse code
avcodec/dvdsub_parser: Allocate input padding
Fixes: out of array read
Fixes: 9350/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DVDSUB_fuzzer-5746777750765568
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit cd86b5cfe278af79d6b147e122d9a72c270a9fde)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Michael Niedermayer authored on 2018/07/14 01:56:10Showing 1 changed files
| ... | ... |
@@ -57,7 +57,11 @@ static int dvdsub_parse(AVCodecParserContext *s, |
| 57 | 57 |
if (pc->packet_len == 0) /* HD-DVD subpicture packet */ |
| 58 | 58 |
pc->packet_len = AV_RB32(buf+2); |
| 59 | 59 |
av_freep(&pc->packet); |
| 60 |
- pc->packet = av_malloc(pc->packet_len); |
|
| 60 |
+ if ((unsigned)pc->packet_len > INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE) {
|
|
| 61 |
+ av_log(avctx, AV_LOG_ERROR, "packet length %d is invalid\n", pc->packet_len); |
|
| 62 |
+ return buf_size; |
|
| 63 |
+ } |
|
| 64 |
+ pc->packet = av_malloc(pc->packet_len + AV_INPUT_BUFFER_PADDING_SIZE); |
|
| 61 | 65 |
} |
| 62 | 66 |
if (pc->packet) {
|
| 63 | 67 |
if (pc->packet_index + buf_size <= pc->packet_len) {
|