I do not know if this or some clipping or other is the best course of action.
I have only a fuzzed file which triggers this and neither reference code nor
specification which would document what to do.
If someone has some reference please reply
Fixes: out of array access
Fixes:
18330/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ATRAC9_fuzzer-5641113058148352
Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc>
---
libavcodec/atrac9dec.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/libavcodec/atrac9dec.c b/libavcodec/atrac9dec.c
index 46e60ca998..0a249cf319 100644
--- a/libavcodec/atrac9dec.c
+++ b/libavcodec/atrac9dec.c
@@ -142,7 +142,7 @@ static inline int parse_gradient(ATRAC9Context *s,
ATRAC9BlockData *b,
return 0;
}
-static inline void calc_precision(ATRAC9Context *s, ATRAC9BlockData *b,
+static inline int calc_precision(ATRAC9Context *s, ATRAC9BlockData *b,
ATRAC9ChannelData *c)
{
memset(c->precision_mask, 0, sizeof(c->precision_mask));
@@ -187,10 +187,13 @@ static inline void calc_precision(ATRAC9Context *s,
ATRAC9BlockData *b,
for (int i = 0; i < b->q_unit_cnt; i++) {
c->precision_fine[i] = 0;
if (c->precision_coarse[i] > 15) {
+ if (c->precision_coarse[i] > 30)
+ return AVERROR_INVALIDDATA;
c->precision_fine[i] = c->precision_coarse[i] - 15;
c->precision_coarse[i] = 15;
}
}
+ return 0;
}
static inline int parse_band_ext(ATRAC9Context *s, ATRAC9BlockData *b,
@@ -734,7 +737,9 @@ static int atrac9_decode_block(ATRAC9Context *s,
GetBitContext *gb,
if (read_scalefactors(s, b, c, gb, i, first_in_pkt))
return AVERROR_INVALIDDATA;
- calc_precision (s, b, c);
+ if (calc_precision(s, b, c))
+ return AVERROR_INVALIDDATA;
+
calc_codebook_idx (s, b, c);
read_coeffs_coarse(s, b, c, gb);
read_coeffs_fine (s, b, c, gb);
--
2.23.0
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
