avcodec/mjpegdec: Check that reference frame matches the current frame
authorMichael Niedermayer <michael@niedermayer.cc>
Mon, 5 Jun 2017 20:23:15 +0000 (22:23 +0200)
committerMichael Niedermayer <michael@niedermayer.cc>
Thu, 15 Jun 2017 23:05:29 +0000 (01:05 +0200)
Fixes: out of array read
Fixes: 2097/clusterfuzz-testcase-minimized-5036861833609216

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 4705edbbb96e193f51c72248f508ae5693702a48)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
libavcodec/mjpegdec.c

index 6311fe7..d78db06 100644 (file)
@@ -1475,6 +1475,15 @@ int ff_mjpeg_decode_sos(MJpegDecodeContext *s, const uint8_t *mb_bitmask,
         return -1;
     }
 
+    if (reference) {
+        if (reference->width  != s->picture_ptr->width  ||
+            reference->height != s->picture_ptr->height ||
+            reference->format != s->picture_ptr->format) {
+            av_log(s->avctx, AV_LOG_ERROR, "Reference mismatching\n");
+            return AVERROR_INVALIDDATA;
+        }
+    }
+
     av_assert0(s->picture_ptr->data[0]);
     /* XXX: verify len field validity */
     len = get_bits(&s->gb, 16);