From patchwork Wed Jun 26 18:44:40 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Kacper Michajlow X-Patchwork-Id: 50172 Delivered-To: ffmpegpatchwork2@gmail.com Received: by 2002:a59:bc92:0:b0:482:c625:d099 with SMTP id p18csp57266vqy; Wed, 26 Jun 2024 13:02:58 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCXeSJnxPP1L1Xo1dcI5wCVCi1eOjY+sbbbiNUpOlLvaNyiNvEzLvwiwdcWUzg2VAONvAST60kALVEQ40lt9XjwZzg9fP16iY+gPjA== X-Google-Smtp-Source: AGHT+IHMw/sThmi+4x+6kDrMM66i/buFWccVcg48mRvzGS0uqeA8F29zQb1xI//TCfTcRayEe4bq X-Received: by 2002:a2e:8257:0:b0:2ec:5382:2703 with SMTP id 38308e7fff4ca-2ec5b30a59cmr63464831fa.53.1719432178144; Wed, 26 Jun 2024 13:02:58 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1719432178; cv=none; d=google.com; s=arc-20160816; b=k1nmeMU+XThizcBvEluOvFJZlha5kHO1tKj9fB4xkv81sqZVldRTp6JkQggd179n5D sQ3wDDmAiEJasXmBAlfxlXlgcRIbIwQ8797dK9Ps4tqI4HLYZtodfqXKts8HuoP/T0tf ejSc4L5ioBSlkX0X/vIgYA4I1WI4reG31wQKqWn8fXv9bO5XEaYEXYxImggkDp6WNM99 5lQqUG3xl/PcE8Ww4f0RID/pJVK8K7CbxKQ158OkUqPRsJfy2Ll0ZG2zY1IZcA0N7F2s CHKYYbySrpD7mC3265gux16DN/pxMfuMrZllEp6rJu/y4SdOsvYMKR5T6wL4lArdbiA4 fTkA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:cc:reply-to :list-subscribe:list-help:list-post:list-archive:list-unsubscribe :list-id:precedence:subject:mime-version:message-id:date:to:from :dkim-signature:delivered-to; bh=QMJLWzQ7NCLUeT0aTZFpS2zOI3wII0nzJL27ncpcEbc=; fh=VehHF75ibtIiOcMFupA+RvAd8F/HWiWMZFlcjyRnn54=; b=Jeep2rlNA5H1Rrw2p/Z3By9WzAWwti4yzOJZwsbWeXf7qCSyLIx0PZTM/l3RdruPxx WYaD97bGTEv4ovWsZsRtRQXixifjPJYccJO8Ypx1qSxOqR+OY/DUHZTzKVAV5tKsink6 bSuZDWLEJmM22ISZ/K42SSFFcjzZJdaAZ96aPL5iUIMHiec5c+yfAOLLEVw0K4iTKKin w7liDcW0+Urrl9xR3gn7QlbBjfKRVz4F0dyYXdBVbVgjAFIV1q4tMdikelrLQoLMVVcg MpmCBRWumn7Tl3dEtAhCl0o6YJagJt8RnmngqkUGf3XRGOjsXf+symF9At8WaQm0AdQy CKNA==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@gmail.com header.s=20230601 header.b="K/WYjcDz"; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id 38308e7fff4ca-2ec5b4d9d85si24374641fa.260.2024.06.26.13.02.56; Wed, 26 Jun 2024 13:02:58 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@gmail.com header.s=20230601 header.b="K/WYjcDz"; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id C013868D58B; Wed, 26 Jun 2024 21:45:23 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from mail-lj1-f174.google.com (mail-lj1-f174.google.com [209.85.208.174]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id D6ABD68D3A6 for ; Wed, 26 Jun 2024 21:45:16 +0300 (EEST) Received: by mail-lj1-f174.google.com with SMTP id 38308e7fff4ca-2ec1ac1aed2so84953031fa.3 for ; Wed, 26 Jun 2024 11:45:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1719427515; x=1720032315; darn=ffmpeg.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=tiBHr1ktp3Aj78wKoAC/KxJf/NGZB8ctGWj6OmIZWeI=; b=K/WYjcDzNrfR7dZcO4Fhv++AlkYWjmyTHu4YbCL0QCkz1JimfdjBlBUByiT+6JoKag 1LcrmAAdf/renoR8QTve5bqDEHdMwdL1prl0tsTPAYvKPhERbupxlYsAWTI9HFdhU534 wZhkXfjq36SngbKpnu5W6tAgEMShtHwwnvhALyLf7jKjLt6PL7bH/QsLiOoG8sqRzZ9R rVnBnwA0rQbcnY+XbQKZcG62do5LHGmcl9Po8e1FWxoD4oXP0GcNTxnwNxtHmxSl5lir SAxDPMoWrAzwbIY0CeATaZkCoYG+VR9U3DfvnX1xp/HyLSpHWr0QbCV1WIGV7aFxLvxv MdQw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1719427515; x=1720032315; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=tiBHr1ktp3Aj78wKoAC/KxJf/NGZB8ctGWj6OmIZWeI=; b=ieqgdBTsTYhjylNmmSq5cGLWN7Z4PCkORlzGIWYsixldd9Biuidd3vjQWH0QM9pkZc EgEAJbUxWjveOIx+kI3F/JQp/sH1gmGlYLxLFKsGyc7hL5qxSHi1Vwn6D+z5RBO3ETVs fA5TIxZn3OsJcrhU6SabsnLQm+su9Bh7c01XzLy+wWa6+PHvuZJx5zZ+KtapZF5lp6Zp TD6U2Kk+SgtAeJ9wgzmGmEZCHu5uSrXY1BqoukyhssqbWMWSpS4L9w8j0GBI3sUyTycO KLndHkYiWbso3l90lqLj9NzJyeaXNkENejkLFn2kRSxQ6W9m5foP2Eo6IxxilHfZJc9o tdcg== X-Gm-Message-State: AOJu0YxYE1jTuz06ZecdgOu00IDc9pCafimgsHrc+tv/ROijmoQVD82H g3bG21AuKOkK2pxziVNa/vbsGNklX3dsXvuZ16XHOU+ZZxjN1wA/54wE1A== X-Received: by 2002:a2e:7a14:0:b0:2ec:5219:8f59 with SMTP id 38308e7fff4ca-2ec5b1d4b71mr71289321fa.0.1719427514429; Wed, 26 Jun 2024 11:45:14 -0700 (PDT) Received: from localhost.localdomain (89-74-12-251.dynamic.chello.pl. [89.74.12.251]) by smtp.gmail.com with ESMTPSA id 38308e7fff4ca-2ec4e07e08esm15254291fa.24.2024.06.26.11.45.13 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 26 Jun 2024 11:45:14 -0700 (PDT) From: =?utf-8?q?Kacper_Michaj=C5=82ow?= To: ffmpeg-devel@ffmpeg.org Date: Wed, 26 Jun 2024 20:44:40 +0200 Message-ID: <20240626184440.1318-1-kasper93@gmail.com> X-Mailer: git-send-email 2.43.0 MIME-Version: 1.0 Subject: [FFmpeg-devel] [PATCH] avcodec/jpegxl_parser: check remaining data buffer size X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Cc: =?utf-8?q?Kacper_Michaj=C5=82ow?= Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" X-TUID: nUseNnNhPG+V Fixes use of uninitialized value, reported by MSAN. Found by OSS-Fuzz. Signed-off-by: Kacper Michajłow --- libavcodec/jpegxl_parser.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libavcodec/jpegxl_parser.c b/libavcodec/jpegxl_parser.c index 8c45e1a1b7..8371d78a45 100644 --- a/libavcodec/jpegxl_parser.c +++ b/libavcodec/jpegxl_parser.c @@ -504,9 +504,14 @@ static int read_dist_clustering(GetBitContext *gb, JXLEntropyDecoder *dec, JXLDi return 0; } + if (get_bits_left(gb) <= 0) + return AVERROR_BUFFER_TOO_SMALL; + if (get_bits1(gb)) { /* simple clustering */ - uint32_t nbits = get_bits(gb, 2); + int nbits = get_bits(gb, 2); + if (get_bits_left(gb) < nbits * bundle->num_dist) + return AVERROR_BUFFER_TOO_SMALL; for (int i = 0; i < bundle->num_dist; i++) bundle->cluster_map[i] = get_bitsz(gb, nbits); } else {