| Message ID | 20240329193221.11522-1-michael@niedermayer.cc |
|---|---|
| State | New |
| Headers | show |
| Series | [FFmpeg-devel,1/3] avcodec/jpeg2000htdec: Check magp before using it in a shift | expand |
| Context | Check | Description |
|---|---|---|
| yinshiyou/make_loongarch64 | success | Make finished |
| yinshiyou/make_fate_loongarch64 | success | Make fate finished |
| andriy/make_x86 | success | Make finished |
| andriy/make_fate_x86 | success | Make fate finished |
fre 2024-03-29 klockan 20:32 +0100 skrev Michael Niedermayer: > Fixes: shift exponent -1 is negative > Fixes: 65378/clusterfuzz-testcase-minimized- > ffmpeg_AV_CODEC_ID_JPEG2000_fuzzer-5457678193197056 > > Found-by: continuous fuzzing process > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > --- > libavcodec/jpeg2000dec.c | 7 +++++-- > 1 file changed, 5 insertions(+), 2 deletions(-) > > diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c > index 1afc6b1e2dd..fe2afb05057 100644 > --- a/libavcodec/jpeg2000dec.c > +++ b/libavcodec/jpeg2000dec.c > @@ -1910,6 +1910,8 @@ static inline void tile_codeblocks(const > Jpeg2000DecoderContext *s, Jpeg2000Tile > int nb_precincts, precno; > Jpeg2000Band *band = rlevel->band + bandno; > int cblkno = 0, bandpos; > + /* See Rec. ITU-T T.800, Equation E-2 */ > + int magp = quantsty->expn[subbandno] + quantsty- > >nguardbits - 1; > > bandpos = bandno + (reslevelno > 0); > > @@ -1917,6 +1919,9 @@ static inline void tile_codeblocks(const > Jpeg2000DecoderContext *s, Jpeg2000Tile > band->coord[1][0] == band->coord[1][1]) > continue; > > + if ((codsty->cblk_style & JPEG2000_CTSY_HTJ2K_F) && > magp >= 31) > + return; Please also print an error message and return AVERROR_PATCHWELCOME /Tomas
On Sat, Mar 30, 2024 at 09:56:58AM +0100, Tomas Härdin wrote: > fre 2024-03-29 klockan 20:32 +0100 skrev Michael Niedermayer: > > Fixes: shift exponent -1 is negative > > Fixes: 65378/clusterfuzz-testcase-minimized- > > ffmpeg_AV_CODEC_ID_JPEG2000_fuzzer-5457678193197056 > > > > Found-by: continuous fuzzing process > > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > > --- > > libavcodec/jpeg2000dec.c | 7 +++++-- > > 1 file changed, 5 insertions(+), 2 deletions(-) > > > > diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c > > index 1afc6b1e2dd..fe2afb05057 100644 > > --- a/libavcodec/jpeg2000dec.c > > +++ b/libavcodec/jpeg2000dec.c > > @@ -1910,6 +1910,8 @@ static inline void tile_codeblocks(const > > Jpeg2000DecoderContext *s, Jpeg2000Tile > > int nb_precincts, precno; > > Jpeg2000Band *band = rlevel->band + bandno; > > int cblkno = 0, bandpos; > > + /* See Rec. ITU-T T.800, Equation E-2 */ > > + int magp = quantsty->expn[subbandno] + quantsty- > > >nguardbits - 1; > > > > bandpos = bandno + (reslevelno > 0); > > > > @@ -1917,6 +1919,9 @@ static inline void tile_codeblocks(const > > Jpeg2000DecoderContext *s, Jpeg2000Tile > > band->coord[1][0] == band->coord[1][1]) > > continue; > > > > + if ((codsty->cblk_style & JPEG2000_CTSY_HTJ2K_F) && > > magp >= 31) > > + return; > > Please also print an error message and return AVERROR_PATCHWELCOME will apply with these changes thx [...]
diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c index 1afc6b1e2dd..fe2afb05057 100644 --- a/libavcodec/jpeg2000dec.c +++ b/libavcodec/jpeg2000dec.c @@ -1910,6 +1910,8 @@ static inline void tile_codeblocks(const Jpeg2000DecoderContext *s, Jpeg2000Tile int nb_precincts, precno; Jpeg2000Band *band = rlevel->band + bandno; int cblkno = 0, bandpos; + /* See Rec. ITU-T T.800, Equation E-2 */ + int magp = quantsty->expn[subbandno] + quantsty->nguardbits - 1; bandpos = bandno + (reslevelno > 0); @@ -1917,6 +1919,9 @@ static inline void tile_codeblocks(const Jpeg2000DecoderContext *s, Jpeg2000Tile band->coord[1][0] == band->coord[1][1]) continue; + if ((codsty->cblk_style & JPEG2000_CTSY_HTJ2K_F) && magp >= 31) + return; + nb_precincts = rlevel->num_precincts_x * rlevel->num_precincts_y; /* Loop on precincts */ for (precno = 0; precno < nb_precincts; precno++) { @@ -1927,8 +1932,6 @@ static inline void tile_codeblocks(const Jpeg2000DecoderContext *s, Jpeg2000Tile cblkno < prec->nb_codeblocks_width * prec->nb_codeblocks_height; cblkno++) { int x, y, ret; - /* See Rec. ITU-T T.800, Equation E-2 */ - int magp = quantsty->expn[subbandno] + quantsty->nguardbits - 1; Jpeg2000Cblk *cblk = prec->cblk + cblkno;
Fixes: shift exponent -1 is negative Fixes: 65378/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEG2000_fuzzer-5457678193197056 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavcodec/jpeg2000dec.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-)