This is an automated email from the git hooks/post-receive script.
Git pushed a commit to branch master
in repository ffmpeg.
The following commit(s) were added to refs/heads/master by this push:
new 2ff28aca4b avcodec/jpeglsdec: bound cumulative decoded JPEG-LS height
per packet
2ff28aca4b is described below
commit 2ff28aca4b3931ee3f551b124851ae7c41a4cdbe
Author: Michael Niedermayer <[email protected]>
AuthorDate: Thu Jun 4 01:47:14 2026 +0200
Commit: michaelni <[email protected]>
CommitDate: Sat Jun 13 21:40:40 2026 +0000
avcodec/jpeglsdec: bound cumulative decoded JPEG-LS height per packet
Fixes: Timeout
Fixes:
509211998/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_THP_fuzzer-5098892286033920
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <[email protected]>
---
libavcodec/jpeglsdec.c | 11 +++++++++++
libavcodec/mjpegdec.c | 1 +
libavcodec/mjpegdec.h | 1 +
3 files changed, 13 insertions(+)
diff --git a/libavcodec/jpeglsdec.c b/libavcodec/jpeglsdec.c
index 3a48334ae1..7633bcceb6 100644
--- a/libavcodec/jpeglsdec.c
+++ b/libavcodec/jpeglsdec.c
@@ -365,6 +365,15 @@ int ff_jpegls_decode_picture(MJpegDecodeContext *s)
int off = 0, stride = 1, width, shift, ret = 0;
int decoded_height = 0;
+ /* Bound the total amount of JPEG-LS decoding work per packet:
+ * Per T.87, ILV=0 uses one scan per component while ILV=1/2 use a single
+ * interleaved scan, and ff_mjpeg_decode_sof() rejects subsampled JPEG-LS,
+ * so a valid image needs at most height * nb_components
+ * (<= height * MAX_COMPONENTS) rows of decoding. The extra factor of 2
+ * is slack so odd, damaged and weird files are not rejected. */
+ if (s->total_ls_decoded_height > s->height * 2LL * MAX_COMPONENTS)
+ return AVERROR_INVALIDDATA;
+
if (!state) {
state = av_malloc(sizeof(*state));
if (!state)
@@ -493,6 +502,8 @@ int ff_jpegls_decode_picture(MJpegDecodeContext *s)
goto end;
}
+ s->total_ls_decoded_height += decoded_height;
+
if (s->xfrm && s->nb_components == 3) {
int x, w;
diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c
index 742d3ac4c0..472431ec72 100644
--- a/libavcodec/mjpegdec.c
+++ b/libavcodec/mjpegdec.c
@@ -2393,6 +2393,7 @@ int ff_mjpeg_decode_frame_from_buf(AVCodecContext *avctx,
AVFrame *frame,
int is16bit;
s->force_pal8 = 0;
+ s->total_ls_decoded_height = 0;
s->buf_size = buf_size;
diff --git a/libavcodec/mjpegdec.h b/libavcodec/mjpegdec.h
index 19ff4436e3..4733db3603 100644
--- a/libavcodec/mjpegdec.h
+++ b/libavcodec/mjpegdec.h
@@ -139,6 +139,7 @@ typedef struct MJpegDecodeContext {
int mjpb_skiptosod;
int cur_scan; /* current scan, used by JPEG-LS */
+ int64_t total_ls_decoded_height; /* cumulative JPEG-LS rows decoded in the
current packet */
int flipped; /* true if picture is flipped */
uint16_t (*ljpeg_buffer)[4];
_______________________________________________
ffmpeg-cvslog mailing list -- [email protected]
To unsubscribe send an email to [email protected]
