FFmpeg/libavcodec/y41pdec.c
Michael Niedermayer 3d8d372947 avcodec/y41pdec: Fix width in input buffer size check
Fixes: out of array read
Fixes: 1437/clusterfuzz-testcase-minimized-4569970002362368

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2017-05-10 14:34:34 +02:00

93 lines
2.6 KiB
C

/*
* y41p decoder
*
* Copyright (c) 2012 Paul B Mahol
*
* This file is part of FFmpeg.
*
* FFmpeg is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; either
* version 2.1 of the License, or (at your option) any later version.
*
* FFmpeg is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with FFmpeg; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
*/
#include "avcodec.h"
#include "internal.h"
static av_cold int y41p_decode_init(AVCodecContext *avctx)
{
avctx->pix_fmt = AV_PIX_FMT_YUV411P;
avctx->bits_per_raw_sample = 12;
if (avctx->width & 7) {
av_log(avctx, AV_LOG_WARNING, "y41p requires width to be divisible by 8.\n");
}
return 0;
}
static int y41p_decode_frame(AVCodecContext *avctx, void *data,
int *got_frame, AVPacket *avpkt)
{
AVFrame *pic = data;
uint8_t *src = avpkt->data;
uint8_t *y, *u, *v;
int i, j, ret;
if (avpkt->size < 3LL * avctx->height * FFALIGN(avctx->width, 8) / 2) {
av_log(avctx, AV_LOG_ERROR, "Insufficient input data.\n");
return AVERROR(EINVAL);
}
if ((ret = ff_get_buffer(avctx, pic, 0)) < 0)
return ret;
pic->key_frame = 1;
pic->pict_type = AV_PICTURE_TYPE_I;
for (i = avctx->height - 1; i >= 0 ; i--) {
y = &pic->data[0][i * pic->linesize[0]];
u = &pic->data[1][i * pic->linesize[1]];
v = &pic->data[2][i * pic->linesize[2]];
for (j = 0; j < avctx->width; j += 8) {
*(u++) = *src++;
*(y++) = *src++;
*(v++) = *src++;
*(y++) = *src++;
*(u++) = *src++;
*(y++) = *src++;
*(v++) = *src++;
*(y++) = *src++;
*(y++) = *src++;
*(y++) = *src++;
*(y++) = *src++;
*(y++) = *src++;
}
}
*got_frame = 1;
return avpkt->size;
}
AVCodec ff_y41p_decoder = {
.name = "y41p",
.long_name = NULL_IF_CONFIG_SMALL("Uncompressed YUV 4:1:1 12-bit"),
.type = AVMEDIA_TYPE_VIDEO,
.id = AV_CODEC_ID_Y41P,
.init = y41p_decode_init,
.decode = y41p_decode_frame,
.capabilities = AV_CODEC_CAP_DR1,
};