avcodec/rasc: Check that the number of moves is less than or equal the number of...
authorMichael Niedermayer <michael@niedermayer.cc>
Fri, 14 Dec 2018 23:10:17 +0000 (00:10 +0100)
committerMichael Niedermayer <michael@niedermayer.cc>
Mon, 21 Jan 2019 06:53:26 +0000 (07:53 +0100)
Fixes: OOM
Fixes: 10307/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_RASC_fuzzer-5393974559244288

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Paul B Mahol <onemda@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 092cb17983b2660b4e050a05c739060f8e03d27a)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
libavcodec/rasc.c

index 67351df..1b607ac 100644 (file)
@@ -215,7 +215,7 @@ static int decode_move(AVCodecContext *avctx,
     bytestream2_skip(gb, 8);
     compression = bytestream2_get_le32(gb);
 
-    if (nb_moves > INT32_MAX / 16)
+    if (nb_moves > INT32_MAX / 16 || nb_moves > avctx->width * avctx->height)
         return AVERROR_INVALIDDATA;
 
     uncompressed_size = 16 * nb_moves;