avcodec/gdv: Check input palette size before rescale()

Fixes: Timeout (22sec -> 11sec) Fixes: 13576/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_GDV_fuzzer-5681024577568768 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpegReviewed-by: Paul B Mahol <onemda@gmail.com> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit f857753f) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

avcodec/gdv: Check input palette size before rescale()
Fixes: Timeout (22sec -> 11sec) Fixes: 13576/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_GDV_fuzzer-5681024577568768 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpegReviewed-by: Paul B Mahol <onemda@gmail.com> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit f857753f) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
af511f8a · Michael Niedermayer · 4fee9b69 · af511f8a
Commit af511f8a authored Apr 25, 2019 by Michael Niedermayer
Hide whitespace changes
Inline Side-by-side

Showing with 2 additions and 2 deletions

gdv.c libavcodec/gdv.c +2 -2

No files found.
--- a/libavcodec/gdv.c
+++ b/libavcodec/gdv.c
@@ -425,6 +425,8 @@ static int gdv_decode_frame(AVCodecContext *avctx, void *data,
    if (pal && pal_size == AVPALETTE_SIZE)
        memcpy(gdv->pal, pal, AVPALETTE_SIZE);

+    if (compression < 2 && bytestream2_get_bytes_left(gb) < 256*3)
+        return AVERROR_INVALIDDATA;
    rescale(gdv, gdv->frame, avctx->width, avctx->height,
            !!(flags & 0x10), !!(flags & 0x20));

@@ -432,8 +434,6 @@ static int gdv_decode_frame(AVCodecContext *avctx, void *data,
    case 1:
        memset(gdv->frame + PREAMBLE_SIZE, 0, gdv->frame_size - PREAMBLE_SIZE);
    case 0:
-        if (bytestream2_get_bytes_left(gb) < 256*3)
-            return AVERROR_INVALIDDATA;
        for (i = 0; i < 256; i++) {
            unsigned r = bytestream2_get_byte(gb);
            unsigned g = bytestream2_get_byte(gb);