From fcbda8af175a1f305c46d6d46a4f90be4aa630ae Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Mon, 21 Jan 2019 00:39:43 +0100
Subject: [PATCH] avcodec/huffyuvdec: Check slice_offset/size

Fixes: out of array access
Fixes: 12447/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HYMT_fuzzer-5201623956062208
Fixes: 12458/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HYMT_fuzzer-5705567736168448

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/huffyuvdec.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/libavcodec/huffyuvdec.c b/libavcodec/huffyuvdec.c
index 8226c07743..27f650d7bf 100644
--- a/libavcodec/huffyuvdec.c
+++ b/libavcodec/huffyuvdec.c
@@ -1268,6 +1268,11 @@ static int decode_frame(AVCodecContext *avctx, void *data, int *got_frame,
         if (nb_slices > 1) {
             slice_offset = AV_RL32(avpkt->data + slices_info_offset + slice * 8);
             slice_size = AV_RL32(avpkt->data + slices_info_offset + slice * 8 + 4);
+
+            if (slice_offset < 0 || slice_size <= 0 || (slice_offset&3) ||
+                slice_offset + (int64_t)slice_size > buf_size)
+                return AVERROR_INVALIDDATA;
+
             y_offset = height - (slice + 1) * slice_height;
             s->bdsp.bswap_buf((uint32_t *)s->bitstream_buffer,
                               (const uint32_t *)(buf + slice_offset), slice_size / 4);
-- 
GitLab