Google Git
Sign in
aomedia/libavif/34c0d3147f3d30e1218bceda410c978481a5e1be^!/./src/read.c
commit
34c0d3147f3d30e1218bceda410c978481a5e1be
[log] [tgz]
author
Joe Drago <jdrago@netflix.com>
Thu Apr 30 15:23:03 2020 -0700
committer
Joe Drago <jdrago@netflix.com>
Thu Apr 30 15:24:38 2020 -0700
tree
d41814faa7a22d2067e9b290c646d8c5a2ae3b27
parent
a7d479eccdf4728f7209dbdcd6ada8ecaca64b4f [diff] [blame]
Protect against oversized (out of bounds) samples in avif sample tables

Fixes oss-fuzz @ 21947

diff --git a/src/read.c b/src/read.c
index 735d841..f258846 100644
--- a/src/read.c
+++ b/src/read.c

@@ -344,6 +344,9 @@
             if (sampleOffset > (uint64_t)rawInput->size) {
                 return AVIF_FALSE;
             }
+            if ((sampleOffset + sampleSize) > (uint64_t)rawInput->size) {
+                return AVIF_FALSE;
+            }
 
             sampleOffset += sampleSize;
             ++sampleSizeIndex;