Andrew Geissler | d1e8949 | 2021-02-12 15:35:20 -0600 | [diff] [blame] | 1 | From 3e5959b3457f7f1856d997261e6ac672bba49e8b Mon Sep 17 00:00:00 2001 |
| 2 | From: Michael Niedermayer <michael@niedermayer.cc> |
| 3 | Date: Sat, 24 Oct 2020 22:21:48 +0200 |
| 4 | Subject: [PATCH] avcodec/exr: Check ymin vs. h |
| 5 | |
| 6 | Fixes: out of array access |
| 7 | Fixes: 26532/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EXR_fuzzer-5613925708857344 |
| 8 | Fixes: 27443/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EXR_fuzzer-5631239813595136 |
| 9 | |
| 10 | Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg |
| 11 | Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> |
| 12 | |
| 13 | Upstream-Status: Backport [https://github.com/FFmpeg/FFmpeg/commit/3e5959b3457f7f1856d997261e6ac672bba49e8b] |
| 14 | |
| 15 | CVE: CVE-2020-35965 |
| 16 | |
| 17 | Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> |
| 18 | Signed-off-by: Khairul Rohaizzat Jamaluddin <khairul.rohaizzat.jamaluddin@intel.com> |
| 19 | --- |
| 20 | libavcodec/exr.c | 2 +- |
| 21 | 1 file changed, 1 insertion(+), 1 deletion(-) |
| 22 | |
| 23 | diff --git a/libavcodec/exr.c b/libavcodec/exr.c |
| 24 | index e907c5c46401..8b701d1cd298 100644 |
| 25 | --- a/libavcodec/exr.c |
| 26 | +++ b/libavcodec/exr.c |
| 27 | @@ -1830,7 +1830,7 @@ static int decode_frame(AVCodecContext *avctx, void *data, |
| 28 | // Zero out the start if ymin is not 0 |
| 29 | for (i = 0; i < planes; i++) { |
| 30 | ptr = picture->data[i]; |
| 31 | - for (y = 0; y < s->ymin; y++) { |
| 32 | + for (y = 0; y < FFMIN(s->ymin, s->h); y++) { |
| 33 | memset(ptr, 0, out_line_size); |
| 34 | ptr += picture->linesize[i]; |
| 35 | } |