[FFmpeg-devel] [PATCH] avcodec/jpegxl_parser: check entropy_decoder_read_symbol return value

Leo Izen leo.izen at gmail.com
Tue Nov 5 15:45:35 EET 2024


On 11/1/24 8:50 AM, Kacper Michajłow wrote:
> Found by OSS-Fuzz.
> 
> Signed-off-by: Kacper Michajłow <kasper93 at gmail.com>
> ---
>   libavcodec/jpegxl_parser.c | 6 +++---
>   1 file changed, 3 insertions(+), 3 deletions(-)
> 
> diff --git a/libavcodec/jpegxl_parser.c b/libavcodec/jpegxl_parser.c
> index 8c45e1a1b7..746c429b9c 100644
> --- a/libavcodec/jpegxl_parser.c
> +++ b/libavcodec/jpegxl_parser.c
> @@ -1311,7 +1311,7 @@ static int parse_frame_header(void *avctx, JXLParseContext *ctx, GetBitContext *
>       // permuted toc
>       if (get_bits1(gb)) {
>           JXLEntropyDecoder dec;
> -        uint32_t end, lehmer = 0;
> +        int64_t end, lehmer = 0;
>           ret = entropy_decoder_init(avctx, gb, &dec, 8);
>           if (ret < 0)
>               return ret;
> @@ -1320,13 +1320,13 @@ static int parse_frame_header(void *avctx, JXLParseContext *ctx, GetBitContext *
>               return AVERROR_BUFFER_TOO_SMALL;
>           }
>           end = entropy_decoder_read_symbol(gb, &dec, toc_context(toc_count));
> -        if (end > toc_count) {
> +        if (end < 0 || end > toc_count) {
>               entropy_decoder_close(&dec);
>               return AVERROR_INVALIDDATA;
>           }
>           for (uint32_t i = 0; i < end; i++) {
>               lehmer = entropy_decoder_read_symbol(gb, &dec, toc_context(lehmer));
> -            if (get_bits_left(gb) < 0) {
> +            if (lehmer < 0 || get_bits_left(gb) < 0) {
>                   entropy_decoder_close(&dec);
>                   return AVERROR_BUFFER_TOO_SMALL;
>               }

LTGM, Will apply.

- Leo Izen (Traneptora)



More information about the ffmpeg-devel mailing list