diff options
| author | Tristan Matthews <tmatth@videolan.org> | 2019-03-05 02:06:04 +0300 |
|---|---|---|
| committer | Tristan Matthews <tmatth@videolan.org> | 2019-03-05 02:12:49 +0300 |
| commit | ce8ff5078d1b396276e2566313a28852f89b4a69 (patch) | |
| tree | 8a8f5767bebf11a33c926c86343c2c886a470d87 | |
| parent | 587e0812ef8c5f425e0fc9885eb1b2f8b6dec40e (diff) | |
oss-fuzz: reject page granulepos that will overflow
| -rw-r--r-- | contrib/oss-fuzz/speexdec_fuzzer.cc | 16 |
1 files changed, 15 insertions, 1 deletions
diff --git a/contrib/oss-fuzz/speexdec_fuzzer.cc b/contrib/oss-fuzz/speexdec_fuzzer.cc index a56a6cd..cc22b90 100644 --- a/contrib/oss-fuzz/speexdec_fuzzer.cc +++ b/contrib/oss-fuzz/speexdec_fuzzer.cc @@ -152,6 +152,20 @@ static int is_safe_ogg_page_pageno(const ogg_page *og) { return og->header[21] < (1 << 7); } +static int is_safe_ogg_page_granulepos(const ogg_page *og){ + int i; + unsigned char *page=og->header; + ogg_int64_t granulepos=page[13]&(0xff); + for (i = 12; i > 5; i--) { + if (granulepos > (INT64_MAX >> 8)) { + return 0; + } + granulepos = (granulepos<<8)|(page[i]&0xff); + } + return 1; +} + + extern "C" int LLVMFuzzerTestOneInput(const uint8_t *fuzz_data, size_t fuzz_size) { output_type output[MAX_FRAME_SIZE]; @@ -216,7 +230,7 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *fuzz_data, size_t fuzz_size ogg_stream_reset_serialno(&os, ogg_page_serialno(&og)); } - if (!is_safe_ogg_page_pageno(&og)) { + if (!is_safe_ogg_page_pageno(&og) || !is_safe_ogg_page_granulepos(&og)) { speex_bits_destroy(&bits); ogg_sync_clear(&oy); return 0; |