[FFmpeg-devel] [PATCH] avcodec/jpegxl_parser: check entropy_decoder_read_symbol return value
Leo Izen
leo.izen at gmail.com
Tue Nov 5 15:45:35 EET 2024
On 11/1/24 8:50 AM, Kacper Michajłow wrote:
> Found by OSS-Fuzz.
>
> Signed-off-by: Kacper Michajłow <kasper93 at gmail.com>
> ---
> libavcodec/jpegxl_parser.c | 6 +++---
> 1 file changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/libavcodec/jpegxl_parser.c b/libavcodec/jpegxl_parser.c
> index 8c45e1a1b7..746c429b9c 100644
> --- a/libavcodec/jpegxl_parser.c
> +++ b/libavcodec/jpegxl_parser.c
> @@ -1311,7 +1311,7 @@ static int parse_frame_header(void *avctx, JXLParseContext *ctx, GetBitContext *
> // permuted toc
> if (get_bits1(gb)) {
> JXLEntropyDecoder dec;
> - uint32_t end, lehmer = 0;
> + int64_t end, lehmer = 0;
> ret = entropy_decoder_init(avctx, gb, &dec, 8);
> if (ret < 0)
> return ret;
> @@ -1320,13 +1320,13 @@ static int parse_frame_header(void *avctx, JXLParseContext *ctx, GetBitContext *
> return AVERROR_BUFFER_TOO_SMALL;
> }
> end = entropy_decoder_read_symbol(gb, &dec, toc_context(toc_count));
> - if (end > toc_count) {
> + if (end < 0 || end > toc_count) {
> entropy_decoder_close(&dec);
> return AVERROR_INVALIDDATA;
> }
> for (uint32_t i = 0; i < end; i++) {
> lehmer = entropy_decoder_read_symbol(gb, &dec, toc_context(lehmer));
> - if (get_bits_left(gb) < 0) {
> + if (lehmer < 0 || get_bits_left(gb) < 0) {
> entropy_decoder_close(&dec);
> return AVERROR_BUFFER_TOO_SMALL;
> }
LTGM, Will apply.
- Leo Izen (Traneptora)
More information about the ffmpeg-devel
mailing list