On Thu, 7 Nov 2024 at 17:31, Leo Izen <leo.i...@gmail.com> wrote: > > The JPEG XL parser has an entropy decoder inside, which supports LZ77 > length-distance pairs. If the first symbol from the entropy stream is an > LZ77 pair, the bitstream is invalid, so we should abort immediately rather > than attempt to read it anyway (which would read from the uninitialized > starting window). > > Reported-by: Kacper Michajłow <kaspe...@gmail.com> > Found-by: ossfuzz > Fixes: > 368725676/clusterfuzz-testcase-minimized-fuzzer_protocol_file-6022251122589696-cut > Fixes: > 42537758/clusterfuzz-testcase-minimized-fuzzer_protocol_file-5818969469026304-cut > Signed-off-by: Leo Izen <leo.i...@gmail.com> > --- > libavcodec/jpegxl_parser.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/libavcodec/jpegxl_parser.c b/libavcodec/jpegxl_parser.c > index 746c429b9c..76122af54a 100644 > --- a/libavcodec/jpegxl_parser.c > +++ b/libavcodec/jpegxl_parser.c > @@ -352,6 +352,8 @@ static int decode_hybrid_varlen_uint(GetBitContext *gb, > JXLEntropyDecoder *dec, > > if (bundle->lz77_enabled && token >= bundle->lz77_min_symbol) { > const JXLSymbolDistribution *lz77dist = > &bundle->dists[bundle->cluster_map[bundle->num_dist - 1]]; > + if (!dec->num_decoded) > + return AVERROR_INVALIDDATA; > ret = read_hybrid_uint(gb, &bundle->lz_len_conf, token - > bundle->lz77_min_symbol, &dec->num_to_copy); > if (ret < 0) > return ret; > @@ -531,6 +533,7 @@ static int read_dist_clustering(GetBitContext *gb, > JXLEntropyDecoder *dec, JXLDi > dec->state = -1; > /* it's not going to necessarily be zero after reading */ > dec->num_to_copy = 0; > + dec->num_decoded = 0; > dist_bundle_close(&nested); > if (use_mtf) { > uint8_t mtf[256]; > -- > 2.47.0
I can confirm it works, thanks. - Kacper _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".