avcodec/pngdec: Check amount decoded

Fixes: Timeout (70sec -> 243ms) Fixes: 16097/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APNG_fuzzer-5664690889293824 Fixes: 16927/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APNG_fuzzer-5170612070252544 Fixes: 16927/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APNG_fuzzer-5706325622784000 Fixes: 18705/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_APNG_fuzzer-5650989302677504 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
author: Michael Niedermayer 2019-08-17 23:55:34 +0200
committer: Michael Niedermayer 2020-02-03 23:59:07 +0100
commit: 861183f2e655ad5d399a8a23b6b6b48463962c5e (patch)
tree: 72f79c88479aa0f1f260a8a835d256e8136d6f70
parent: eb64a5c6f94981e4a68ad65a6e445557e11c08fc (diff)
1 files changed, 12 insertions, 0 deletions
diff --git a/libavcodec/pngdec.c b/libavcodec/pngdec.c
index d37dabcc4d..3ce980fc15 100644
--- a/libavcodec/pngdec.c
+++ b/libavcodec/pngdec.c
@@ -320,6 +320,15 @@ static void deloco_ ## NAME(TYPE *dst, int size, int alpha) \
 YUV2RGB(rgb8, uint8_t)
 YUV2RGB(rgb16, uint16_t)
 
+static int percent_missing(PNGDecContext *s)
+{
+    if (s->interlace_type) {
+        return 100 - 100 * s->pass / (NB_PASSES - 1);
+    } else {
+        return 100 - 100 * s->y / s->cur_h;
+    }
+}
+
 /* process exactly one decompressed row */
 static void png_handle_row(PNGDecContext *s)
 {
@@ -1354,6 +1363,9 @@ exit_loop:
         return 0;
     }
 
+    if (percent_missing(s) > avctx->discard_damaged_percentage)
+        return AVERROR_INVALIDDATA;
+
     if (s->bits_per_pixel <= 4)
         handle_small_bpp(s, p);
author	Michael Niedermayer	2019-08-17 23:55:34 +0200
committer	Michael Niedermayer	2020-02-03 23:59:07 +0100
commit	861183f2e655ad5d399a8a23b6b6b48463962c5e (patch)
tree	72f79c88479aa0f1f260a8a835d256e8136d6f70
parent	eb64a5c6f94981e4a68ad65a6e445557e11c08fc (diff)