From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: <ffmpeg-devel-bounces@ffmpeg.org> Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by master.gitmailbox.com (Postfix) with ESMTP id 99FDC432B6 for <ffmpegdev@gitmailbox.com>; Fri, 25 Nov 2022 06:45:55 +0000 (UTC) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id BEBAE68BC5D; Fri, 25 Nov 2022 08:45:51 +0200 (EET) Received: from mx.sdf.org (mx.sdf.org [205.166.94.24]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id A614C689D4A for <ffmpeg-devel@ffmpeg.org>; Fri, 25 Nov 2022 08:45:44 +0200 (EET) Received: from 4eb231a0d1b36cedda43a2a005befe4d ([1.136.208.213]) (authenticated (0 bits)) by mx.sdf.org (8.15.2/8.14.5) with ESMTPSA id 2AP6jXjl017634 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256 bits) verified NO) for <ffmpeg-devel@ffmpeg.org>; Fri, 25 Nov 2022 06:45:37 GMT Date: Fri, 25 Nov 2022 17:45:29 +1100 From: Peter Ross <pross@xvid.org> To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org> Message-ID: <Y4BkiUUWM/dO6gX0@4eb231a0d1b36cedda43a2a005befe4d> Mail-Followup-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org> References: <20221122225652.1341-1-michael@niedermayer.cc> MIME-Version: 1.0 In-Reply-To: <20221122225652.1341-1-michael@niedermayer.cc> Subject: Re: [FFmpeg-devel] [PATCH 1/2] avcodec/pictordec: Check that the image fits in the input X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org> List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>, <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe> List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel> List-Post: <mailto:ffmpeg-devel@ffmpeg.org> List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help> List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>, <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe> Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org> Content-Type: multipart/mixed; boundary="===============2355794312343107369==" Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org> Archived-At: <https://master.gitmailbox.com/ffmpegdev/Y4BkiUUWM%2FdO6gX0@4eb231a0d1b36cedda43a2a005befe4d/> List-Archive: <https://master.gitmailbox.com/ffmpegdev/> List-Post: <mailto:ffmpegdev@gitmailbox.com> --===============2355794312343107369== Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="W4gv7OURsv1FPQM6" Content-Disposition: inline --W4gv7OURsv1FPQM6 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Nov 22, 2022 at 11:56:51PM +0100, Michael Niedermayer wrote: > Fixes: Timeout > Fixes: 53438/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PICTOR_fuz= zer-5458939919859712 >=20 > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/t= ree/master/projects/ffmpe > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > --- > libavcodec/pictordec.c | 3 +++ > 1 file changed, 3 insertions(+) >=20 > diff --git a/libavcodec/pictordec.c b/libavcodec/pictordec.c > index 71bad40a0a..09229b94fd 100644 > --- a/libavcodec/pictordec.c > +++ b/libavcodec/pictordec.c > @@ -162,6 +162,9 @@ static int decode_frame(AVCodecContext *avctx, AVFram= e *frame, > =20 > if (av_image_check_size(s->width, s->height, 0, avctx) < 0) > return -1; > + if (bytestream2_get_bytes_left(&s->g) < s->width * s->height / 65536= * 5) > + return AVERROR_INVALIDDATA; how did you arrive at this formula? -- Peter (A907 E02F A6E5 0CD2 34CD 20D2 6760 79C5 AC40 DD6B) --W4gv7OURsv1FPQM6 Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iF0EABECAB0WIQSpB+AvpuUM0jTNINJnYHnFrEDdawUCY4BkhQAKCRBnYHnFrEDd a8NaAKCR5sHtgh2hDhVP2nEsJK4GcFVyGwCfbpBDuflOPuIK7Fn3WLCiw+A5JGo= =r7MB -----END PGP SIGNATURE----- --W4gv7OURsv1FPQM6-- --===============2355794312343107369== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe". --===============2355794312343107369==--