github-mirrors/FFmpeg
1
0
Fork 0
mirror of https://mirror.skon.top/https://github.com/FFmpeg/FFmpeg synced 2026-04-20 12:50:49 +08:00
Code Issues Packages Projects Releases Wiki Activity

avcodec/svq1dec: Check input space for minimum

Browse Source 
We reject inputs that are significantly smaller than the smallest frame.
This check raises the minimum input needed before time consuming computations are performed
it thus improves the computation per input byte and reduces the potential DoS impact

Fixes: Timeout
Fixes: 472769364/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SVQ1_DEC_fuzzer-5519737145851904

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
Michael Niedermayer
2026-02-10 18:42:07 +01:00
committed by michaelni
parent fcffc0e1c5
commit d538a71ad5
1 changed files with 5 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
libavcodec/svq1dec.c
View File

@@ -696,6 +696,11 @@ static int svq1_decode_frame(AVCodecContext *avctx, AVFrame *cur,
avctx->skip_frame >= AVDISCARD_ALL)
return buf_size;
// Reject obviously too-small packets early: require at least one remaining bit per aligned luma macroblock.
// FFALIGN(s->width, 16) * FFALIGN(s->height, 16) / 256 represent the number of Macroblocks
if (get_bits_left(&s->gb) < FFALIGN(s->width, 16) * FFALIGN(s->height, 16) / 256)
return AVERROR_INVALIDDATA;
result = ff_get_buffer(avctx, cur, s->nonref ? 0 : AV_GET_BUFFER_FLAG_REF);
if (result < 0)
return result;