On Sun, Aug 28, 2022 at 07:39:53PM +0200, Michael Niedermayer wrote: > On Sun, Aug 21, 2022 at 04:23:09PM +0200, Michael Niedermayer wrote: > > On Sun, Aug 21, 2022 at 12:54:57PM +0200, Paul B Mahol wrote: > > > On Fri, Aug 19, 2022 at 12:36 AM Michael Niedermayer > > > wrote: > > > > > > > Fixes: out of array access > > > > Fixes: > > > > 50014/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SPEEDHQ_fuzzer-4748914632294400 > > > > > > > > Alternatively the buffer size can be increased > > > > > > > > Found-by: continuous fuzzing process > > > > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > > > > Signed-off-by > > > > : > > > > Michael Niedermayer > > > > --- > > > > libavcodec/speedhq.c | 2 +- > > > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > > > > > diff --git a/libavcodec/speedhq.c b/libavcodec/speedhq.c > > > > index c43de4f199..ffee5f973b 100644 > > > > --- a/libavcodec/speedhq.c > > > > +++ b/libavcodec/speedhq.c > > > > @@ -499,7 +499,7 @@ static int speedhq_decode_frame(AVCodecContext *avctx, > > > > AVFrame *frame, > > > > uint32_t second_field_offset; > > > > int ret; > > > > > > > > - if (buf_size < 4 || avctx->width < 8) > > > > + if (buf_size < 4 || avctx->width < 8 || avctx->width % 8 != 0) > > > > return AVERROR_INVALIDDATA; > > > > > > > > > > Is this right thing to do? > > > > We can increase the buffer size or change how the %8 != 0 case is handled > > WIthout a non fuzzed file with such dimensions, I do not know what the > > correct handling of such a file is. > > > What do you prefer to be done ? > > ping i will apply this in the next 24h thx [...] -- Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB Whats the most studid thing your enemy could do ? Blow himself up Whats the most studid thing you could do ? Give up your rights and freedom because your enemy blew himself up.