avcodec/y41pdec: Fix width in input buffer size check
authorMichael Niedermayer <michael@niedermayer.cc>
Wed, 10 May 2017 12:33:27 +0000 (14:33 +0200)
committerMichael Niedermayer <michael@niedermayer.cc>
Wed, 10 May 2017 12:34:34 +0000 (14:34 +0200)
Fixes: out of array read
Fixes: 1437/clusterfuzz-testcase-minimized-4569970002362368

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
libavcodec/y41pdec.c

index 1b177d4..85a39e4 100644 (file)
@@ -43,7 +43,7 @@ static int y41p_decode_frame(AVCodecContext *avctx, void *data,
     uint8_t *y, *u, *v;
     int i, j, ret;
 
-    if (avpkt->size < 3LL * avctx->height * avctx->width / 2) {
+    if (avpkt->size < 3LL * avctx->height * FFALIGN(avctx->width, 8) / 2) {
         av_log(avctx, AV_LOG_ERROR, "Insufficient input data.\n");
         return AVERROR(EINVAL);
     }