[FFmpeg-devel] [PATCH 1/2] indeo4: Decode all or nothing of a band header.

Thu, 17 May 2018 05:41:52 -0700 

This avoids inconsistent value combinations.
Alternatively it would be possible to add more checks and careful use of
temporary variables, but my try of this quickly seemed to become
a rather large change.
The disadvantage of this, is that the struct is copied back and forth.

Fixes: index 6 out of bounds for type 'const uint16_t [5][16]'
Fixes: 
6557/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_INDEO4_fuzzer-4787296550256640

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc>
---
 libavcodec/indeo4.c | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/libavcodec/indeo4.c b/libavcodec/indeo4.c
index a3562f6fd8..7dff9db877 100644
--- a/libavcodec/indeo4.c
+++ b/libavcodec/indeo4.c
@@ -260,12 +260,14 @@ static int decode_pic_hdr(IVI45DecContext *ctx, 
AVCodecContext *avctx)
  *  @param[in]     avctx     pointer to the AVCodecContext
  *  @return        result code: 0 = OK, negative number = error
  */
-static int decode_band_hdr(IVI45DecContext *ctx, IVIBandDesc *band,
+static int decode_band_hdr(IVI45DecContext *ctx, IVIBandDesc *arg_band,
                            AVCodecContext *avctx)
 {
     int plane, band_num, indx, transform_id, scan_indx;
     int i;
     int quant_mat;
+    IVIBandDesc temp_band, *band = &temp_band;
+    memcpy(&temp_band, arg_band, sizeof(temp_band));
 
     plane    = get_bits(&ctx->gb, 2);
     band_num = get_bits(&ctx->gb, 4);
@@ -395,10 +397,10 @@ static int decode_band_hdr(IVI45DecContext *ctx, 
IVIBandDesc *band,
 
         /* decode block huffman codebook */
         if (!get_bits1(&ctx->gb))
-            band->blk_vlc.tab = ctx->blk_vlc.tab;
+            arg_band->blk_vlc.tab = ctx->blk_vlc.tab;
         else
             if (ff_ivi_dec_huff_desc(&ctx->gb, 1, IVI_BLK_HUFF,
-                                     &band->blk_vlc, avctx))
+                                     &arg_band->blk_vlc, avctx))
                 return AVERROR_INVALIDDATA;
 
         /* select appropriate rvmap table for this band */
@@ -439,6 +441,9 @@ static int decode_band_hdr(IVI45DecContext *ctx, 
IVIBandDesc *band,
         return AVERROR_INVALIDDATA;
     }
 
+    band->blk_vlc = arg_band->blk_vlc;
+    memcpy(arg_band, band, sizeof(*arg_band));
+
     return 0;
 }
 
-- 
2.17.0

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-devel

Reply via email to