From a2dbe8005daa0628df92bb720dc341dd2d3b6fd0 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Wed, 10 Feb 2021 22:28:20 +0100 Subject: [PATCH] avcodec/pnm_parser: Check av_image_get_buffer_size() for failure Fixes: out of array access Fixes: 30135/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PBM_fuzzer-4997145650397184 Fixes: 30208/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PGMYUV_fuzzer-5605891665690624.fuzz Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reviewed-by: Paul B Mahol Signed-off-by: Michael Niedermayer (cherry picked from commit 5314a4996cc76e2a8534c74a66f5181e95ac64fc) Signed-off-by: Michael Niedermayer --- libavcodec/pnm_parser.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavcodec/pnm_parser.c b/libavcodec/pnm_parser.c index 58c3cd2431..29183f8f31 100644 --- a/libavcodec/pnm_parser.c +++ b/libavcodec/pnm_parser.c @@ -106,8 +106,10 @@ retry: if (next == END_NOT_FOUND) pnmpc->ascii_scan = sync - pnmctx.bytestream + skip; } else { - next = pnmctx.bytestream - pnmctx.bytestream_start + skip - + av_image_get_buffer_size(avctx->pix_fmt, avctx->width, avctx->height, 1); + int ret = av_image_get_buffer_size(avctx->pix_fmt, avctx->width, avctx->height, 1); + next = pnmctx.bytestream - pnmctx.bytestream_start + skip; + if (ret >= 0) + next += ret; } if (next != END_NOT_FOUND && pnmctx.bytestream_start != buf + skip) next -= pc->index;