[FFmpeg-devel] [PATCH 2/3] avcodec/pgxdec: Check depth more completely

[Andreas Rheinhardt]

Michael Niedermayer:
> Fixes: shift exponent -1 is negative
> Fixes: 26107/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_PGX_fuzzer-5378790047612928
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> ---
>  libavcodec/pgxdec.c | 6 +++---
>  1 file changed, 3 insertions(+), 3 deletions(-)
> 
> diff --git a/libavcodec/pgxdec.c b/libavcodec/pgxdec.c
> index 150f8bbf66..5c735894ab 100644
> --- a/libavcodec/pgxdec.c
> +++ b/libavcodec/pgxdec.c
> @@ -133,14 +133,14 @@ static int pgx_decode_frame(AVCodecContext *avctx, void *data,
>      if ((ret = ff_set_dimensions(avctx, width, height)) < 0)
>          return ret;
>  
> -    if (depth <= 8) {
> +    if (depth > 0 && depth <= 8) {
>          avctx->pix_fmt = AV_PIX_FMT_GRAY8;
>          bpp = 8;
> -    } else if (depth <= 16) {
> +    } else if (depth > 0 && depth <= 16) {
>          avctx->pix_fmt = AV_PIX_FMT_GRAY16;
>          bpp = 16;
>      } else {
> -        av_log(avctx, AV_LOG_ERROR, "Maximum depth of 16 bits supported.\n");
> +        av_log(avctx, AV_LOG_ERROR, "depth %d is invalid or unsupported.\n", depth);
>          return AVERROR_PATCHWELCOME;
>      }
>      if (bytestream2_get_bytes_left(&g) < width * height * (bpp >> 3))
> 
I presume the parsed depth to be zero in your testcase. Said number
comes from pgx_get_number() which is only used to parse values for which
a value of zero makes no sense. Wouldn't it make more sense to error out
there if the number is zero?

- Andreas