avcodec/wnv1: More strict buffer size check
authorMichael Niedermayer <michael@niedermayer.cc>
Sun, 28 May 2017 01:18:02 +0000 (03:18 +0200)
committerMichael Niedermayer <michael@niedermayer.cc>
Sun, 28 May 2017 01:20:09 +0000 (03:20 +0200)
This requires at least 25% of a picture to allocate and decode it

Fixes: Timeout
Fixes: 1845/clusterfuzz-testcase-minimized-5075974343360512

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
libavcodec/wnv1.c

index 126c01a..915e9c7 100644 (file)
@@ -68,7 +68,7 @@ static int decode_frame(AVCodecContext *avctx,
     int prev_y = 0, prev_u = 0, prev_v = 0;
     uint8_t *rbuf;
 
-    if (buf_size <8) {
+    if (buf_size < 8 + avctx->height * (avctx->width/2)/8) {
         av_log(avctx, AV_LOG_ERROR, "Packet size %d is too small\n", buf_size);
         return AVERROR_INVALIDDATA;
     }