[FFmpeg-devel] [PATCH] avcodec/jpegxl_parser: fix reading lz77-pair as initial entropy symbol

[Kacper Michajlow]

On Thu, 7 Nov 2024 at 17:31, Leo Izen <leo.izen at gmail.com> wrote:
>
> The JPEG XL parser has an entropy decoder inside, which supports LZ77
> length-distance pairs. If the first symbol from the entropy stream is an
> LZ77 pair, the bitstream is invalid, so we should abort immediately rather
> than attempt to read it anyway (which would read from the uninitialized
> starting window).
>
> Reported-by: Kacper Michajłow <kasper93 at gmail.com>
> Found-by: ossfuzz
> Fixes: 368725676/clusterfuzz-testcase-minimized-fuzzer_protocol_file-6022251122589696-cut
> Fixes: 42537758/clusterfuzz-testcase-minimized-fuzzer_protocol_file-5818969469026304-cut
> Signed-off-by: Leo Izen <leo.izen at gmail.com>
> ---
>  libavcodec/jpegxl_parser.c | 3 +++
>  1 file changed, 3 insertions(+)
>
> diff --git a/libavcodec/jpegxl_parser.c b/libavcodec/jpegxl_parser.c
> index 746c429b9c..76122af54a 100644
> --- a/libavcodec/jpegxl_parser.c
> +++ b/libavcodec/jpegxl_parser.c
> @@ -352,6 +352,8 @@ static int decode_hybrid_varlen_uint(GetBitContext *gb, JXLEntropyDecoder *dec,
>
>      if (bundle->lz77_enabled && token >= bundle->lz77_min_symbol) {
>          const JXLSymbolDistribution *lz77dist = &bundle->dists[bundle->cluster_map[bundle->num_dist - 1]];
> +        if (!dec->num_decoded)
> +            return AVERROR_INVALIDDATA;
>          ret = read_hybrid_uint(gb, &bundle->lz_len_conf, token - bundle->lz77_min_symbol, &dec->num_to_copy);
>          if (ret < 0)
>              return ret;
> @@ -531,6 +533,7 @@ static int read_dist_clustering(GetBitContext *gb, JXLEntropyDecoder *dec, JXLDi
>          dec->state = -1;
>          /* it's not going to necessarily be zero after reading */
>          dec->num_to_copy = 0;
> +        dec->num_decoded = 0;
>          dist_bundle_close(&nested);
>          if (use_mtf) {
>              uint8_t mtf[256];
> --
> 2.47.0

I can confirm it works, thanks.

- Kacper