RepoMirrors
/
ffmpeg
mirror of https://git.ffmpeg.org/ffmpeg.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

avcodec/bonk: Check ntaps against buffer size 

Fixes: out of array read
Fixes: 48567/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_BONK_fuzzer-6739246658748416

Note: This issue was assigned to a unrelated theora bug

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
Michael Niedermayer 2023-01-11 21:07:13 +01:00
parent 977028f9f4
commit 8e58d20e10
No known key found for this signature in database
GPG Key ID: B18E8928B3948D64
1 changed files with 4 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
libavcodec/bonk.c
View File

@ -101,6 +101,10 @@ static av_cold int bonk_init(AVCodecContext *avctx)
s->samples_per_packet = AV_RL16(avctx->extradata + 15);
if (!s->samples_per_packet)
return AVERROR(EINVAL);
if (s->down_sampling * s->samples_per_packet < s->n_taps)
return AVERROR_INVALIDDATA;
s->max_framesize = s->samples_per_packet * avctx->ch_layout.nb_channels * s->down_sampling * 16LL;
if (s->max_framesize > (INT32_MAX - AV_INPUT_BUFFER_PADDING_SIZE) / 8)
return AVERROR_INVALIDDATA;