From 3809467d4dc26a1ec7d7afb617c2a1f89eaa6a8b Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 2 Oct 2021 23:37:05 +0200 Subject: avcodec/iff: limit written bytes to twice the output array size in decode_delta_l() Fixes: Timeout Fixes: 39436/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_IFF_ILBM_fuzzer-6624915520880640 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavcodec/iff.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/libavcodec/iff.c b/libavcodec/iff.c index 6a4c466b44..1dcf0e00ed 100644 --- a/libavcodec/iff.c +++ b/libavcodec/iff.c @@ -1456,6 +1456,7 @@ static void decode_delta_l(uint8_t *dst, int planepitch_byte = (w + 7) / 8; int planepitch = ((w + 15) / 16) * 2; int pitch = planepitch * bpp; + int count = 0; if (buf_end - buf <= 64) return; @@ -1487,6 +1488,8 @@ static void decode_delta_l(uint8_t *dst, int16_t cnt = bytestream2_get_be16(&ogb); uint16_t data; + if (count > dst_size) + break; offset = ((2 * offset) / planepitch_byte) * pitch + ((2 * offset) % planepitch_byte) + k * planepitch; if (cnt < 0) { if (bytestream2_get_bytes_left(&dgb) < 2) @@ -1494,6 +1497,7 @@ static void decode_delta_l(uint8_t *dst, bytestream2_seek_p(&pb, offset, SEEK_SET); cnt = -cnt; data = bytestream2_get_be16(&dgb); + count += cnt; for (i = 0; i < cnt; i++) { bytestream2_put_be16(&pb, data); bytestream2_skip_p(&pb, dstpitch - 2); @@ -1502,6 +1506,7 @@ static void decode_delta_l(uint8_t *dst, if (bytestream2_get_bytes_left(&dgb) < 2*cnt) break; bytestream2_seek_p(&pb, offset, SEEK_SET); + count += cnt; for (i = 0; i < cnt; i++) { data = bytestream2_get_be16(&dgb); bytestream2_put_be16(&pb, data); -- cgit v1.2.3