| Message ID | 20170724153425.21586-2-michael@niedermayer.cc |
|---|---|
| State | Accepted |
| Commit | 1b00600319506a9bd81b114d2b374051dc1a29a6 |
| Headers | show |
2017-07-24 17:34 GMT+02:00 Michael Niedermayer <michael@niedermayer.cc>: > Fixes: 2707/clusterfuzz-testcase-minimized-5179636394754048 > > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > --- > libavcodec/jpeg2000dec.c | 5 +++++ > 1 file changed, 5 insertions(+) > > diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c > index b67efc76bb..dd9c60feb4 100644 > --- a/libavcodec/jpeg2000dec.c > +++ b/libavcodec/jpeg2000dec.c > @@ -2075,6 +2075,11 @@ static int jp2_find_codestream(Jpeg2000DecoderContext *s) > hden = bytestream2_get_be16u(&s->g); > vexp = bytestream2_get_byteu(&s->g); > hexp = bytestream2_get_byteu(&s->g); > + if (!vnum || !vden || !hnum || !vden) { > + bytestream2_seek(&s->g, atom2_end, SEEK_SET); > + av_log(s->avctx, AV_LOG_WARNING, "RES box invalid\n"); > + continue; > + } Thank you! I believe it is possible to move the "resd"/"resc" check above down if you think that simplifies the code. Carl Eugen
On Mon, Jul 24, 2017 at 07:56:34PM +0200, Carl Eugen Hoyos wrote: > 2017-07-24 17:34 GMT+02:00 Michael Niedermayer <michael@niedermayer.cc>: > > Fixes: 2707/clusterfuzz-testcase-minimized-5179636394754048 > > > > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > > --- > > libavcodec/jpeg2000dec.c | 5 +++++ > > 1 file changed, 5 insertions(+) > > > > diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c > > index b67efc76bb..dd9c60feb4 100644 > > --- a/libavcodec/jpeg2000dec.c > > +++ b/libavcodec/jpeg2000dec.c > > @@ -2075,6 +2075,11 @@ static int jp2_find_codestream(Jpeg2000DecoderContext *s) > > hden = bytestream2_get_be16u(&s->g); > > vexp = bytestream2_get_byteu(&s->g); > > hexp = bytestream2_get_byteu(&s->g); > > + if (!vnum || !vden || !hnum || !vden) { > > + bytestream2_seek(&s->g, atom2_end, SEEK_SET); > > + av_log(s->avctx, AV_LOG_WARNING, "RES box invalid\n"); > > + continue; > > + } > > Thank you! > > I believe it is possible to move the "resd"/"resc" check above down if you think > that simplifies the code. That could be done, but it somehow doesnt feel right. The type should be checked before reading the values. ill apply the patches as they are thx [...]
diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c index b67efc76bb..dd9c60feb4 100644 --- a/libavcodec/jpeg2000dec.c +++ b/libavcodec/jpeg2000dec.c @@ -2075,6 +2075,11 @@ static int jp2_find_codestream(Jpeg2000DecoderContext *s) hden = bytestream2_get_be16u(&s->g); vexp = bytestream2_get_byteu(&s->g); hexp = bytestream2_get_byteu(&s->g); + if (!vnum || !vden || !hnum || !vden) { + bytestream2_seek(&s->g, atom2_end, SEEK_SET); + av_log(s->avctx, AV_LOG_WARNING, "RES box invalid\n"); + continue; + } if (vexp > hexp) { vexp -= hexp; hexp = 0;
Fixes: 2707/clusterfuzz-testcase-minimized-5179636394754048 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavcodec/jpeg2000dec.c | 5 +++++ 1 file changed, 5 insertions(+)