avcodec/pngdec: Fix off by 1 size in decode_zbuf()

Fixes out of array access
Fixes: 444/fuzz-2-ffmpeg_VIDEO_AV_CODEC_ID_PNG_fuzzer

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit e371f031b9)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
Michael Niedermayer 2017-01-23 01:25:27 +01:00
parent 14e5d6a009
commit 62244f37d1
1 changed files with 3 additions and 3 deletions

View File

@ -421,13 +421,13 @@ static int decode_zbuf(AVBPrint *bp, const uint8_t *data,
av_bprint_init(bp, 0, -1); av_bprint_init(bp, 0, -1);
while (zstream.avail_in > 0) { while (zstream.avail_in > 0) {
av_bprint_get_buffer(bp, 1, &buf, &buf_size); av_bprint_get_buffer(bp, 2, &buf, &buf_size);
if (!buf_size) { if (buf_size < 2) {
ret = AVERROR(ENOMEM); ret = AVERROR(ENOMEM);
goto fail; goto fail;
} }
zstream.next_out = buf; zstream.next_out = buf;
zstream.avail_out = buf_size; zstream.avail_out = buf_size - 1;
ret = inflate(&zstream, Z_PARTIAL_FLUSH); ret = inflate(&zstream, Z_PARTIAL_FLUSH);
if (ret != Z_OK && ret != Z_STREAM_END) { if (ret != Z_OK && ret != Z_STREAM_END) {
ret = AVERROR_EXTERNAL; ret = AVERROR_EXTERNAL;