[FFmpeg-devel] [PATCH] avcodec/jpegxl_parser: check remaining data buffer size
Kacper Michajłow
kasper93 at gmail.com
Wed Jun 26 21:44:40 EEST 2024
Fixes use of uninitialized value, reported by MSAN.
Found by OSS-Fuzz.
Signed-off-by: Kacper Michajłow <kasper93 at gmail.com>
---
libavcodec/jpegxl_parser.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/libavcodec/jpegxl_parser.c b/libavcodec/jpegxl_parser.c
index 8c45e1a1b7..8371d78a45 100644
--- a/libavcodec/jpegxl_parser.c
+++ b/libavcodec/jpegxl_parser.c
@@ -504,9 +504,14 @@ static int read_dist_clustering(GetBitContext *gb, JXLEntropyDecoder *dec, JXLDi
return 0;
}
+ if (get_bits_left(gb) <= 0)
+ return AVERROR_BUFFER_TOO_SMALL;
+
if (get_bits1(gb)) {
/* simple clustering */
- uint32_t nbits = get_bits(gb, 2);
+ int nbits = get_bits(gb, 2);
+ if (get_bits_left(gb) < nbits * bundle->num_dist)
+ return AVERROR_BUFFER_TOO_SMALL;
for (int i = 0; i < bundle->num_dist; i++)
bundle->cluster_map[i] = get_bitsz(gb, nbits);
} else {
--
2.43.0
More information about the ffmpeg-devel
mailing list