Changeset View
Changeset View
Standalone View
Standalone View
head/multimedia/mythtv/files/patch-CVE-2017-07866
Property | Old Value | New Value |
---|---|---|
fbsd:nokeywords | null | yes \ No newline at end of property |
svn:eol-style | null | native \ No newline at end of property |
svn:mime-type | null | text/plain \ No newline at end of property |
From bd6c1d5149fbc4f2a0200ad99e7f56f4fb7d518a Mon Sep 17 00:00:00 2001 | |||||
From: Michael Niedermayer <michael@niedermayer.cc> | |||||
Date: Mon, 23 Jan 2017 01:25:27 +0100 | |||||
Subject: [PATCH] avcodec/pngdec: Fix off by 1 size in decode_zbuf() | |||||
Fixes out of array access | |||||
Fixes: 444/fuzz-2-ffmpeg_VIDEO_AV_CODEC_ID_PNG_fuzzer | |||||
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/targets/ffmpeg | |||||
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> | |||||
(cherry picked from commit e371f031b942d73e02c090170975561fabd5c264) | |||||
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> | |||||
--- | |||||
libavcodec/pngdec.c | 6 +++--- | |||||
1 file changed, 3 insertions(+), 3 deletions(-) | |||||
diff --git libavcodec/pngdec.c libavcodec/pngdec.c | |||||
index 36275ae43f5..7ade0cee661 100644 | |||||
--- external/FFmpeg/libavcodec/pngdec.c | |||||
+++ external/FFmpeg/libavcodec/pngdec.c | |||||
@@ -437,13 +437,13 @@ static int decode_zbuf(AVBPrint *bp, const uint8_t *data, | |||||
av_bprint_init(bp, 0, -1); | |||||
while (zstream.avail_in > 0) { | |||||
- av_bprint_get_buffer(bp, 1, &buf, &buf_size); | |||||
- if (!buf_size) { | |||||
+ av_bprint_get_buffer(bp, 2, &buf, &buf_size); | |||||
+ if (buf_size < 2) { | |||||
ret = AVERROR(ENOMEM); | |||||
goto fail; | |||||
} | |||||
zstream.next_out = buf; | |||||
- zstream.avail_out = buf_size; | |||||
+ zstream.avail_out = buf_size - 1; | |||||
ret = inflate(&zstream, Z_PARTIAL_FLUSH); | |||||
if (ret != Z_OK && ret != Z_STREAM_END) { | |||||
ret = AVERROR_EXTERNAL; |