diff mbox series

[FFmpeg-devel] avcodec/jpegxl_parser: check ANS cluster alphabet size vs bundle size

Message ID 20231223025733.85366-1-leo.izen@gmail.com
State New
Headers show
Series [FFmpeg-devel] avcodec/jpegxl_parser: check ANS cluster alphabet size vs bundle size | expand

Checks

Context Check Description
yinshiyou/make_loongarch64 success Make finished
yinshiyou/make_fate_loongarch64 success Make fate finished
andriy/make_x86 success Make finished
andriy/make_fate_x86 success Make fate finished

Commit Message

Leo Izen Dec. 23, 2023, 2:57 a.m. UTC 
The specification doesn't mention that clusters cannot have alphabet
sizes greater than 1 << bundle->log_alphabet_size, but the reference
implementation rejects these entropy streams as invalid, so we should
too. Refusing to do so can overflow a stack variable on line 556 that
should be large enough otherwise.

Fixes #10738.

Reported-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Leo Izen <leo.izen@gmail.com>
---
 libavcodec/jpegxl_parser.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

Comments

Michael Niedermayer Dec. 25, 2023, 2:05 a.m. UTC | #1 
On Fri, Dec 22, 2023 at 09:57:33PM -0500, Leo Izen wrote:
> The specification doesn't mention that clusters cannot have alphabet
> sizes greater than 1 << bundle->log_alphabet_size, but the reference
> implementation rejects these entropy streams as invalid, so we should
> too. Refusing to do so can overflow a stack variable on line 556 that
> should be large enough otherwise.
> 
> Fixes #10738.
> 

> Reported-by: Michael Niedermayer <michael@niedermayer.cc>

The issue has been discovered by Zeng Yunxiang and Li Zeyuan. as mentioned in the ticket


> Signed-off-by: Leo Izen <leo.izen@gmail.com>
> ---
>  libavcodec/jpegxl_parser.c | 5 ++++-
>  1 file changed, 4 insertions(+), 1 deletion(-)
> 
> diff --git a/libavcodec/jpegxl_parser.c b/libavcodec/jpegxl_parser.c
> index 006eb6b295..c9832e4393 100644
> --- a/libavcodec/jpegxl_parser.c
> +++ b/libavcodec/jpegxl_parser.c
> @@ -388,7 +388,6 @@ static int populate_distribution(GetBitContext *gb, JXLSymbolDistribution *dist,
>  
>      if (get_bits1(gb)) {
>          /* simple code */
> -        dist->alphabet_size = 256;
>          if (get_bits1(gb)) {
>              uint8_t v1 = jxl_u8(gb);
>              uint8_t v2 = jxl_u8(gb);
> @@ -398,10 +397,12 @@ static int populate_distribution(GetBitContext *gb, JXLSymbolDistribution *dist,
>              dist->freq[v2] = (1 << 12) - dist->freq[v1];
>              if (!dist->freq[v1])
>                  dist->uniq_pos = v2;
> +            dist->alphabet_size = 1 + FFMAX(v1, v2);
>          } else {
>              uint8_t x = jxl_u8(gb);
>              dist->freq[x] = 1 << 12;
>              dist->uniq_pos = x;
> +            dist->alphabet_size= 1 + x;
>          }
>          return 0;
>      }
> @@ -880,6 +881,8 @@ static int read_distribution_bundle(GetBitContext *gb, JXLEntropyDecoder *dec,
>              ret = populate_distribution(gb, &bundle->dists[i], bundle->log_alphabet_size);
>              if (ret < 0)
>                  return ret;
> +            if (bundle->dists[i].alphabet_size > (1 << bundle->log_alphabet_size))
> +                return AVERROR_INVALIDDATA;

i think alphabet_size should be checked before it is stored in the struct
or at least before it is used.
ATM the value is unchecked and substantial processing is done with it
in populate_distribution() before this check

Also log_alphabet_size for use_prefix_code == 0 is limited to a max of 8
which limits alphabet_size to 256 in that codepath with the new check.

There are also various arrays that can be reduced in size when alphabet_size
is limited in this codepath. But thats for a different time and patch.
For now i think just moving the alphabet_size check, is fine

thx

[...]
diff mbox series

Patch

diff --git a/libavcodec/jpegxl_parser.c b/libavcodec/jpegxl_parser.c
index 006eb6b295..c9832e4393 100644
--- a/libavcodec/jpegxl_parser.c
+++ b/libavcodec/jpegxl_parser.c
@@ -388,7 +388,6 @@  static int populate_distribution(GetBitContext *gb, JXLSymbolDistribution *dist,
 
     if (get_bits1(gb)) {
         /* simple code */
-        dist->alphabet_size = 256;
         if (get_bits1(gb)) {
             uint8_t v1 = jxl_u8(gb);
             uint8_t v2 = jxl_u8(gb);
@@ -398,10 +397,12 @@  static int populate_distribution(GetBitContext *gb, JXLSymbolDistribution *dist,
             dist->freq[v2] = (1 << 12) - dist->freq[v1];
             if (!dist->freq[v1])
                 dist->uniq_pos = v2;
+            dist->alphabet_size = 1 + FFMAX(v1, v2);
         } else {
             uint8_t x = jxl_u8(gb);
             dist->freq[x] = 1 << 12;
             dist->uniq_pos = x;
+            dist->alphabet_size= 1 + x;
         }
         return 0;
     }
@@ -880,6 +881,8 @@  static int read_distribution_bundle(GetBitContext *gb, JXLEntropyDecoder *dec,
             ret = populate_distribution(gb, &bundle->dists[i], bundle->log_alphabet_size);
             if (ret < 0)
                 return ret;
+            if (bundle->dists[i].alphabet_size > (1 << bundle->log_alphabet_size))
+                return AVERROR_INVALIDDATA;
             if (get_bits_left(gb) < 0)
                 return AVERROR_BUFFER_TOO_SMALL;
         }