Skip to content

Commit

Permalink
avcodec/speexdec: Consider mode in frame size check
Browse files Browse the repository at this point in the history
No speex samples with non default frame sizes are known (to me)
the official speexenc seems to only generate the 3 default ones.
Thus it may be that the fuzzer samples where the first non default
values encountered by the decoder.
Possibly the "<" should be "!="

Fixes: out of array access
Fixes: 42821/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SPEEX_fuzzer-5640695772217344

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
  • Loading branch information
michaelni committed Jan 1, 2022
1 parent c417616 commit d6b2357
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion libavcodec/speexdec.c
Expand Up @@ -1419,7 +1419,7 @@ static int parse_speex_extradata(AVCodecContext *avctx,
return AVERROR_INVALIDDATA;
s->bitrate = bytestream_get_le32(&buf);
s->frame_size = bytestream_get_le32(&buf);
if (s->frame_size < NB_FRAME_SIZE)
if (s->frame_size < NB_FRAME_SIZE << s->mode)
return AVERROR_INVALIDDATA;
s->vbr = bytestream_get_le32(&buf);
s->frames_per_packet = bytestream_get_le32(&buf);
Expand Down

0 comments on commit d6b2357

Please sign in to comment.