avcodec/avpacket: Limit iterations in ff_packet_split_and_drop_side_data()
authorMichael Niedermayer <michael@niedermayer.cc>
Sun, 11 Jun 2017 20:08:04 +0000 (22:08 +0200)
committerMichael Niedermayer <michael@niedermayer.cc>
Sun, 11 Jun 2017 20:09:15 +0000 (22:09 +0200)
This avoids scaning beyond what a valid packet can contain
Fixes: Timeout
Fixes: 541/clusterfuzz-testcase-610189291657625

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
libavcodec/avpacket.c

index a04cdaf..5ce3228 100644 (file)
@@ -495,6 +495,8 @@ int ff_packet_split_and_drop_side_data(AVPacket *pkt){
             if (p - pkt->data < size + 5)
                 return 0;
             p-= size+5;
+            if (i > AV_PKT_DATA_NB)
+                return 0;
         }
         pkt->size = p - pkt->data - size;
         av_assert0(pkt->size >= 0);