On Thu, 7 Nov 2024 at 17:31, Leo Izen <leo.i...@gmail.com> wrote:
>
> The JPEG XL parser has an entropy decoder inside, which supports LZ77
> length-distance pairs. If the first symbol from the entropy stream is an
> LZ77 pair, the bitstream is invalid, so we should abort immediately rather
> than attempt to read it anyway (which would read from the uninitialized
> starting window).
>
> Reported-by: Kacper Michajłow <kaspe...@gmail.com>
> Found-by: ossfuzz
> Fixes:
> 368725676/clusterfuzz-testcase-minimized-fuzzer_protocol_file-6022251122589696-cut
> Fixes:
> 42537758/clusterfuzz-testcase-minimized-fuzzer_protocol_file-5818969469026304-cut
> Signed-off-by: Leo Izen <leo.i...@gmail.com>
> ---
> libavcodec/jpegxl_parser.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/libavcodec/jpegxl_parser.c b/libavcodec/jpegxl_parser.c
> index 746c429b9c..76122af54a 100644
> --- a/libavcodec/jpegxl_parser.c
> +++ b/libavcodec/jpegxl_parser.c
> @@ -352,6 +352,8 @@ static int decode_hybrid_varlen_uint(GetBitContext *gb,
> JXLEntropyDecoder *dec,
>
> if (bundle->lz77_enabled && token >= bundle->lz77_min_symbol) {
> const JXLSymbolDistribution *lz77dist =
> &bundle->dists[bundle->cluster_map[bundle->num_dist - 1]];
> + if (!dec->num_decoded)
> + return AVERROR_INVALIDDATA;
> ret = read_hybrid_uint(gb, &bundle->lz_len_conf, token -
> bundle->lz77_min_symbol, &dec->num_to_copy);
> if (ret < 0)
> return ret;
> @@ -531,6 +533,7 @@ static int read_dist_clustering(GetBitContext *gb,
> JXLEntropyDecoder *dec, JXLDi
> dec->state = -1;
> /* it's not going to necessarily be zero after reading */
> dec->num_to_copy = 0;
> + dec->num_decoded = 0;
> dist_bundle_close(&nested);
> if (use_mtf) {
> uint8_t mtf[256];
> --
> 2.47.0
I can confirm it works, thanks.
- Kacper
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
