avformat/thp: Check compcount
authorMichael Niedermayer <michael@niedermayer.cc>
Sun, 31 May 2020 12:24:04 +0000 (14:24 +0200)
committerMichael Niedermayer <michael@niedermayer.cc>
Sun, 7 Jun 2020 20:01:12 +0000 (22:01 +0200)
Fixes: out of array access
Fixes: 22520/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5100297658826752

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
libavformat/thp.c

index d3ae86c..4abff13 100644 (file)
@@ -93,6 +93,9 @@ static int thp_read_header(AVFormatContext *s)
     avio_seek (pb, thp->compoff, SEEK_SET);
     thp->compcount       = avio_rb32(pb);
 
+    if (thp->compcount > FF_ARRAY_ELEMS(thp->components))
+        return AVERROR_INVALIDDATA;
+
     /* Read the list of component types.  */
     avio_read(pb, thp->components, 16);