Re: [FFmpeg-devel] [PATCH] avcodec/jpegxl_parser: check entropy_decoder_read_symbol return value

Tue, 05 Nov 2024 05:45:53 -0800 

On 11/1/24 8:50 AM, Kacper Michajłow wrote:

Found by OSS-Fuzz.

Signed-off-by: Kacper Michajłow <kaspe...@gmail.com>
---
  libavcodec/jpegxl_parser.c | 6 +++---
  1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/libavcodec/jpegxl_parser.c b/libavcodec/jpegxl_parser.c
index 8c45e1a1b7..746c429b9c 100644
--- a/libavcodec/jpegxl_parser.c
+++ b/libavcodec/jpegxl_parser.c
@@ -1311,7 +1311,7 @@ static int parse_frame_header(void *avctx, 
JXLParseContext *ctx, GetBitContext *
      // permuted toc
      if (get_bits1(gb)) {
          JXLEntropyDecoder dec;
-        uint32_t end, lehmer = 0;
+        int64_t end, lehmer = 0;
          ret = entropy_decoder_init(avctx, gb, &dec, 8);
          if (ret < 0)
              return ret;
@@ -1320,13 +1320,13 @@ static int parse_frame_header(void *avctx, 
JXLParseContext *ctx, GetBitContext *
              return AVERROR_BUFFER_TOO_SMALL;
          }
          end = entropy_decoder_read_symbol(gb, &dec, toc_context(toc_count));
-        if (end > toc_count) {
+        if (end < 0 || end > toc_count) {
              entropy_decoder_close(&dec);
              return AVERROR_INVALIDDATA;
          }
          for (uint32_t i = 0; i < end; i++) {
              lehmer = entropy_decoder_read_symbol(gb, &dec, 
toc_context(lehmer));
-            if (get_bits_left(gb) < 0) {
+            if (lehmer < 0 || get_bits_left(gb) < 0) {
                  entropy_decoder_close(&dec);
                  return AVERROR_BUFFER_TOO_SMALL;
              }


LTGM, Will apply.

- Leo Izen (Traneptora)

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".

Reply via email to