From patchwork Thu Jun 9 21:37:39 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Niedermayer X-Patchwork-Id: 36099 Delivered-To: ffmpegpatchwork2@gmail.com Received: by 2002:a05:6a20:6914:b0:82:6b11:2509 with SMTP id q20csp601553pzj; Thu, 9 Jun 2022 14:37:53 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzxTXUg+Kgf8zEFEQ9eHGN1YfIuvFqKBVro+9XBy7Bkhx2uhx8cbfI9FYxyX1EK6zBSRyZ8 X-Received: by 2002:a17:906:a383:b0:6f5:132c:1a14 with SMTP id k3-20020a170906a38300b006f5132c1a14mr38351412ejz.21.1654810673417; Thu, 09 Jun 2022 14:37:53 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1654810673; cv=none; d=google.com; s=arc-20160816; b=cho8TxMH77QBMm3Manl9396rOLess+pSxpwaxHneo4+LhYPNoe5wb1NgncvwfqbPbD G/zvErF3nqv6d+ODf8Sodybgl94rH8x9ne/br6yj7sqTHjn2in34nDq9ANcBJQyqC7GB +ETEHEjxG9PTtBwm9F2f1pmd9135I9xDDA9IN/07VSxUpvktFf2hm9zAvQqYlHnILZCS WYwAJRLu5R+gufrmNUppGXvCu5WGxxfvKwAJbbt/t9nkt5krD+f3sVasWOq7VdfFctdK cHFeAO5awdUU+ibyrmH9oqyoFtKNL9/N0Wc+l8JG4LquJgi8CZXEbkw7pONO40kgKrxQ tt7g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:mime-version:reply-to :list-subscribe:list-help:list-post:list-archive:list-unsubscribe :list-id:precedence:subject:message-id:date:to:from:delivered-to; bh=j+E/Ifw3PpCbRwGKbnKikPS3tCh44H8vaic1JgQ28AU=; b=lkEy5qv1p5NNPj7T16rnz1mHYloQNtfOu8a2I8rUYE5noTZCteKgzt8rLKHmAbxXoV monuWwNe3LoL/XMsDR0N1SUJU2iuzSf0ONyOaxna5CfxJ2D4txt5Vd3RkEtsXKRouxJD AKFhOHPuzXix9aT+OK7GOhwLe/fu+5/bZUogb7DZpVN5T3doMknPsIn+fWxeEJOdWhRy 7vHNMSJqS1hDAVrmpIblq4d7w/moVNPsT41fKoXx990TQoy09eaiotNZ84Mfg4lWFw+R 5KT2VFF8knqyQu5XUzgbueBjQjDIMizC01CExgudGuOJfmDYtsOwm4lycLLKXSygP2G4 jTXQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id 7-20020a170906014700b00711fca6bc59si3478336ejh.263.2022.06.09.14.37.52; Thu, 09 Jun 2022 14:37:53 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id F347568B7D9; Fri, 10 Jun 2022 00:37:49 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from vie01a-dmta-at01-1.mx.upcmail.net (vie01a-dmta-at01-1.mx.upcmail.net [62.179.121.145]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 6EE5968B7D9 for ; Fri, 10 Jun 2022 00:37:43 +0300 (EEST) Received: from [172.31.216.235] (helo=vie01a-pemc-psmtp-pe12.mail.upcmail.net) by vie01a-dmta-at01.mx.upcmail.net with esmtp (Exim 4.92) (envelope-from ) id 1nzPqY-00FB6U-Ir for ffmpeg-devel@ffmpeg.org; Thu, 09 Jun 2022 23:37:42 +0200 Received: from ren-mail-psmtp-mg02. ([80.109.253.241]) by vie01a-pemc-psmtp-pe12.mail.upcmail.net with ESMTP id zPoxnJuf88s8UzPqYnFkpe; Thu, 09 Jun 2022 23:37:42 +0200 Received: from localhost ([213.47.68.29]) by ren-mail-psmtp-mg02. with ESMTP id zPqXndrMd8eSWzPqXnIFFz; Thu, 09 Jun 2022 23:37:41 +0200 X-Env-Mailfrom: michael@niedermayer.cc X-Env-Rcptto: ffmpeg-devel@ffmpeg.org X-SourceIP: 213.47.68.29 X-CNFS-Analysis: v=2.4 cv=KKE5sHJo c=1 sm=1 tr=0 ts=62a26826 a=2hcxjKEKjp0CzLx6oWAm4g==:117 a=2hcxjKEKjp0CzLx6oWAm4g==:17 a=MKtGQD3n3ToA:10 a=1oJP67jkp3AA:10 a=GEAsPZ9sns4A:10 a=NEAV23lmAAAA:8 a=kXhC6kgOofMA7QqXyHAA:9 From: Michael Niedermayer To: FFmpeg development discussions and patches Date: Thu, 9 Jun 2022 23:37:39 +0200 Message-Id: <20220609213741.18029-1-michael@niedermayer.cc> X-Mailer: git-send-email 2.17.1 X-CMAE-Envelope: MS4wfBdXUjTuR4i51I7LnIpIAei8S03Oo0kTfamdr53nNvV5I07RjOiZkmbB7I5rpxoBOSGfp9j1Ewjp9MAlILMhLqf6nqI86jN91NYo06ywLjOCA9uxUImc OPxE3tPag1zNz05pL4yyJk4cC7n9XIzL9tutfM5svlLh32WB0zyU9jyquI8wZeVc5thd/e5swCQppw== Subject: [FFmpeg-devel] [PATCH 1/3] avcodec/jpeglsdec: fix end check for xfrm X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches MIME-Version: 1.0 Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" X-TUID: NQ395PSWXwxC Fixes: out of array access Fixes: 47871/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_AMV_fuzzer-5646305956855808 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavcodec/jpeglsdec.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libavcodec/jpeglsdec.c b/libavcodec/jpeglsdec.c index 399837cf2f..ab663dc1fc 100644 --- a/libavcodec/jpeglsdec.c +++ b/libavcodec/jpeglsdec.c @@ -484,19 +484,19 @@ int ff_jpegls_decode_picture(MJpegDecodeContext *s, int near, for (i = 0; i < s->height; i++) { switch(s->xfrm) { case 1: - for (x = off; x < w; x += 3) { + for (x = off; x + 2 < w; x += 3) { src[x ] += src[x+1] + 128; src[x+2] += src[x+1] + 128; } break; case 2: - for (x = off; x < w; x += 3) { + for (x = off; x + 2 < w; x += 3) { src[x ] += src[x+1] + 128; src[x+2] += ((src[x ] + src[x+1])>>1) + 128; } break; case 3: - for (x = off; x < w; x += 3) { + for (x = off; x + 2 < w; x += 3) { int g = src[x+0] - ((src[x+2]+src[x+1])>>2) + 64; src[x+0] = src[x+2] + g + 128; src[x+2] = src[x+1] + g + 128; @@ -504,7 +504,7 @@ int ff_jpegls_decode_picture(MJpegDecodeContext *s, int near, } break; case 4: - for (x = off; x < w; x += 3) { + for (x = off; x + 2 < w; x += 3) { int r = src[x+0] - (( 359 * (src[x+2]-128) + 490) >> 8); int g = src[x+0] - (( 88 * (src[x+1]-128) - 183 * (src[x+2]-128) + 30) >> 8); int b = src[x+0] + ((454 * (src[x+1]-128) + 574) >> 8);