From: Michael Niedermayer <[email protected]> Fixes out of array accesses Fixes: 1378/clusterfuzz-testcase-minimized-5715088008806400 Fixes: 1427/clusterfuzz-testcase-minimized-5020737339392000 Bug-Id: CVE-2017-9996 CC: [email protected]
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg Signed-off-by: Michael Niedermayer <[email protected]> (cherry picked from commit e1b60aad77c27ed5d4dfc11e5e6a05a38c70489d) (cherry picked from commit 1e42736b95065c69a7481d0cf55247024f54b660) Signed-off-by: Diego Biurrun <[email protected]> --- libavcodec/cdxl.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libavcodec/cdxl.c b/libavcodec/cdxl.c index e7cb79caf0..7f1dec4a6c 100644 --- a/libavcodec/cdxl.c +++ b/libavcodec/cdxl.c @@ -244,9 +244,9 @@ static int cdxl_decode_frame(AVCodecContext *avctx, void *data, c->padded_bits = aligned_width - c->avctx->width; if (c->video_size < aligned_width * avctx->height * c->bpp / 8) return AVERROR_INVALIDDATA; - if (!encoding && c->palette_size && c->bpp <= 8) { + if (!encoding && c->palette_size && c->bpp <= 8 && c->format != CHUNKY) { avctx->pix_fmt = AV_PIX_FMT_PAL8; - } else if (encoding == 1 && (c->bpp == 6 || c->bpp == 8)) { + } else if (encoding == 1 && (c->bpp == 6 || c->bpp == 8) && c->format != CHUNKY) { if (c->palette_size != (1 << (c->bpp - 1))) return AVERROR_INVALIDDATA; avctx->pix_fmt = AV_PIX_FMT_BGR24; -- 2.11.0 _______________________________________________ libav-devel mailing list [email protected] https://lists.libav.org/mailman/listinfo/libav-devel
