[FFmpeg-devel,3/3] avcodec/jpegxl_parser: Check get_vlc2()

Message ID	20231108021244.8669-3-michael@niedermayer.cc
State	Accepted
Commit	850ab8f6da58f8ac1012bef1eb69f7924a8cf620
Headers	show Delivered-To: ffmpegpatchwork2@gmail.com Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; From: Michael Niedermayer <michael@niedermayer.cc> To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org> Date: Wed, 8 Nov 2023 03:12:44 +0100 Message-Id: <20231108021244.8669-3-michael@niedermayer.cc> In-Reply-To: <20231108021244.8669-1-michael@niedermayer.cc> References: <20231108021244.8669-1-michael@niedermayer.cc> Subject: [FFmpeg-devel] [PATCH 3/3] avcodec/jpegxl_parser: Check get_vlc2() Precedence: list Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>
Series	[FFmpeg-devel,1/3] avformat/mov: Disallow FTYP after streams \| expand [FFmpeg-devel,1/3] avformat/mov: Disallow FTYP after streams [FFmpeg-devel,2/3] avcodec/4xm: Check for cfrm exhaustion [FFmpeg-devel,3/3] avcodec/jpegxl_parser: Check get_vlc2()

Message ID

20231108021244.8669-3-michael@niedermayer.cc

State

Accepted

Commit

850ab8f6da58f8ac1012bef1eb69f7924a8cf620

Headers

Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100;
From: Michael Niedermayer <michael@niedermayer.cc>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Date: Wed,  8 Nov 2023 03:12:44 +0100
Message-Id: <20231108021244.8669-3-michael@niedermayer.cc>
In-Reply-To: <20231108021244.8669-1-michael@niedermayer.cc>
References: <20231108021244.8669-1-michael@niedermayer.cc>
Subject: [FFmpeg-devel] [PATCH 3/3] avcodec/jpegxl_parser: Check get_vlc2()
Precedence: list
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>

Series

[FFmpeg-devel,1/3] avformat/mov: Disallow FTYP after streams | expand

Checks

Context	Check	Description
yinshiyou/make_loongarch64	success	Make finished
yinshiyou/make_fate_loongarch64	success	Make fate finished
andriy/make_x86	success	Make finished
andriy/make_fate_x86	success	Make fate finished

Context

Check

Description

yinshiyou/make_loongarch64

success

Make finished

yinshiyou/make_fate_loongarch64

success

Make fate finished

andriy/make_x86

success

Make finished

andriy/make_fate_x86

success

Make fate finished

Commit Message

Michael Niedermayer Nov. 8, 2023, 2:12 a.m. UTC

Fixes: shift exponent -1 is negative
Fixes: 63889/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-6009343056936960

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/jpegxl_parser.c | 8 ++++++++
 1 file changed, 8 insertions(+)

Comments

Michael Niedermayer Dec. 29, 2023, 6:23 p.m. UTC | #1

On Wed, Nov 08, 2023 at 03:12:44AM +0100, Michael Niedermayer wrote:
> Fixes: shift exponent -1 is negative
> Fixes: 63889/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-6009343056936960
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavcodec/jpegxl_parser.c | 8 ++++++++
>  1 file changed, 8 insertions(+)

will apply

[...]

diff --git a/libavcodec/jpegxl_parser.c b/libavcodec/jpegxl_parser.c
index 630fc8a60bf..964f5a9ad5a 100644
--- a/libavcodec/jpegxl_parser.c
+++ b/libavcodec/jpegxl_parser.c
@@ -698,6 +698,10 @@  static int read_vlc_prefix(GetBitContext *gb, JXLEntropyDecoder *dec, JXLSymbolD
     level1_codecounts[0] = hskip;
     for (int i = hskip; i < 18; i++) {
         len = level1_lens[prefix_codelen_map[i]] = get_vlc2(gb, level0_table, 4, 1);
+        if (len < 0) {
+            ret = AVERROR_INVALIDDATA;
+            goto end;
+        }
         level1_codecounts[len]++;
         if (len) {
             total_code += (32 >> len);
@@ -743,6 +747,10 @@  static int read_vlc_prefix(GetBitContext *gb, JXLEntropyDecoder *dec, JXLSymbolD
     total_code = 0;
     for (int i = 0; i < dist->alphabet_size; i++) {
         len = get_vlc2(gb, level1_vlc.table, 5, 1);
+        if (len < 0) {
+            ret = AVERROR_INVALIDDATA;
+            goto end;
+        }
         if (get_bits_left(gb) < 0) {
             ret = AVERROR_BUFFER_TOO_SMALL;
             goto end;

[FFmpeg-devel,3/3] avcodec/jpegxl_parser: Check get_vlc2()

Checks

Commit Message

Comments

Patch