avcodec/huffyuvdec: Check slice_offset/size

Fixes: out of array access
Fixes: 12447/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HYMT_fuzzer-5201623956062208
Fixes: 12458/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HYMT_fuzzer-5705567736168448

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
Michael Niedermayer 2019-01-21 00:39:43 +01:00
parent 4523cc5e75
commit fcbda8af17
1 changed files with 5 additions and 0 deletions

View File

@ -1268,6 +1268,11 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
if (nb_slices > 1) { if (nb_slices > 1) {
slice_offset = AV_RL32(avpkt->data + slices_info_offset + slice * 8); slice_offset = AV_RL32(avpkt->data + slices_info_offset + slice * 8);
slice_size = AV_RL32(avpkt->data + slices_info_offset + slice * 8 + 4); slice_size = AV_RL32(avpkt->data + slices_info_offset + slice * 8 + 4);
if (slice_offset < 0 || slice_size <= 0 || (slice_offset&3) ||
slice_offset + (int64_t)slice_size > buf_size)
return AVERROR_INVALIDDATA;
y_offset = height - (slice + 1) * slice_height; y_offset = height - (slice + 1) * slice_height;
s->bdsp.bswap_buf((uint32_t *)s->bitstream_buffer, s->bdsp.bswap_buf((uint32_t *)s->bitstream_buffer,
(const uint32_t *)(buf + slice_offset), slice_size / 4); (const uint32_t *)(buf + slice_offset), slice_size / 4);