Skip to content
Permalink
Browse files Browse the repository at this point in the history
avcodec/exr: skip bottom clearing loop when its outside the image
Fixes: signed integer overflow: 1633771809 * 32960 cannot be represented in type 'int'
Fixes: 26532/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EXR_fuzzer-5613925708857344

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
  • Loading branch information
michaelni committed Nov 22, 2020
1 parent 3e5959b commit b0a8b40
Showing 1 changed file with 7 additions and 6 deletions.
13 changes: 7 additions & 6 deletions libavcodec/exr.c
Expand Up @@ -1842,13 +1842,14 @@ static int decode_frame(AVCodecContext *avctx, void *data,

ymax = FFMAX(0, s->ymax + 1);
// Zero out the end if ymax+1 is not h
for (i = 0; i < planes; i++) {
ptr = picture->data[i] + (ymax * picture->linesize[i]);
for (y = ymax; y < avctx->height; y++) {
memset(ptr, 0, out_line_size);
ptr += picture->linesize[i];
if (ymax < avctx->height)
for (i = 0; i < planes; i++) {
ptr = picture->data[i] + (ymax * picture->linesize[i]);
for (y = ymax; y < avctx->height; y++) {
memset(ptr, 0, out_line_size);
ptr += picture->linesize[i];
}
}
}

picture->pict_type = AV_PICTURE_TYPE_I;
*got_frame = 1;
Expand Down

0 comments on commit b0a8b40

Please sign in to comment.