diff options
author | Tristan Matthews <tmatth@videolan.org> | 2019-03-02 11:06:39 +0300 |
---|---|---|
committer | Tristan Matthews <tmatth@videolan.org> | 2019-03-02 11:07:58 +0300 |
commit | a51c008a832c00532c62ec6c951b8ecb1d99f728 (patch) | |
tree | 1a8d241f51ebe63bf89388173a2ac81a99c6e4f4 | |
parent | f121e3869d083f881870c4b3dc5bee55404cf536 (diff) |
oss-fuzz: reject ogg serial numbers that will overflow
-rw-r--r-- | contrib/oss-fuzz/speexdec_fuzzer.cc | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/contrib/oss-fuzz/speexdec_fuzzer.cc b/contrib/oss-fuzz/speexdec_fuzzer.cc index 5b1229f..e520405 100644 --- a/contrib/oss-fuzz/speexdec_fuzzer.cc +++ b/contrib/oss-fuzz/speexdec_fuzzer.cc @@ -134,6 +134,10 @@ static void *process_header(ogg_packet *op, spx_int32_t enh_enabled, spx_int32_t return st; } +static int is_safe_ogg_page_serialno(const ogg_page *og) { + return og->header[15] < (1 << 23) && og->header[16] < (1 << 15) && og->header[17] < (1 << 7); +} + extern "C" int LLVMFuzzerTestOneInput(const uint8_t *fuzz_data, size_t fuzz_size) { output_type output[MAX_FRAME_SIZE]; @@ -183,6 +187,12 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *fuzz_data, size_t fuzz_size while (ogg_sync_pageout(&oy, &og)==1) { int packet_no; + if (!is_safe_ogg_page_serialno(&og)) { + speex_bits_destroy(&bits); + ogg_sync_clear(&oy); + return 0; + } + if (stream_init == 0) { ogg_stream_init(&os, ogg_page_serialno(&og)); stream_init = 1; |