avcodec/cfhd: Check band parameters before storing them

Fixes out of array read Fixes: 2169/clusterfuzz-testcase-minimized-5688641642823680 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 54aaadf648073149f1ac34f56cbde4e6c5aa22ef) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
author: Michael Niedermayer <michael@niedermayer.cc> 2017-06-10 18:45:08 +0200
committer: Michael Niedermayer <michael@niedermayer.cc> 2017-06-20 02:05:08 +0200
commit: 72b8c6c645da6580b1ddb0a79d061d2069347dd3 (patch)
tree: e6a83c6004f5cf26f4ab00069e5776fcf1040dc8
parent: 2dcae36de1b85f8054a77c3b82f5640c7f10f384 (diff)
download: ffmpeg-72b8c6c645da6580b1ddb0a79d061d2069347dd3.tar.gz
1 files changed, 9 insertions, 9 deletions
diff --git a/libavcodec/cfhd.c b/libavcodec/cfhd.c
index 196647f3ee..2408dca385 100644
--- a/libavcodec/cfhd.c
+++ b/libavcodec/cfhd.c
@@ -309,22 +309,22 @@ static int cfhd_decode(AVCodecContext *avctx, void *data, int *got_frame,
             s->prescale_shift[2] = (data >> 6) & 0x7;
             av_log(avctx, AV_LOG_DEBUG, "Prescale shift (VC-5): %x\n", data);
         } else if (tag == 27) {
-            s->plane[s->channel_num].band[0][0].width  = data;
-            s->plane[s->channel_num].band[0][0].stride = data;
             av_log(avctx, AV_LOG_DEBUG, "Lowpass width %"PRIu16"\n", data);
             if (data < 3 || data > s->plane[s->channel_num].band[0][0].a_width) {
                 av_log(avctx, AV_LOG_ERROR, "Invalid lowpass width\n");
                 ret = AVERROR(EINVAL);
                 break;
             }
+            s->plane[s->channel_num].band[0][0].width  = data;
+            s->plane[s->channel_num].band[0][0].stride = data;
         } else if (tag == 28) {
-            s->plane[s->channel_num].band[0][0].height = data;
             av_log(avctx, AV_LOG_DEBUG, "Lowpass height %"PRIu16"\n", data);
             if (data < 3 || data > s->plane[s->channel_num].band[0][0].height) {
                 av_log(avctx, AV_LOG_ERROR, "Invalid lowpass height\n");
                 ret = AVERROR(EINVAL);
                 break;
             }
+            s->plane[s->channel_num].band[0][0].height = data;
         } else if (tag == 1)
             av_log(avctx, AV_LOG_DEBUG, "Sample type? %"PRIu16"\n", data);
         else if (tag == 10) {
@@ -355,39 +355,39 @@ static int cfhd_decode(AVCodecContext *avctx, void *data, int *got_frame,
                 av_log(avctx, AV_LOG_DEBUG, "Tag/Value = %x %x\n", tag2, val2);
             }
         } else if (tag == 41) {
-            s->plane[s->channel_num].band[s->level][s->subband_num].width  = data;
-            s->plane[s->channel_num].band[s->level][s->subband_num].stride = FFALIGN(data, 8);
             av_log(avctx, AV_LOG_DEBUG, "Highpass width %i channel %i level %i subband %i\n", data, s->channel_num, s->level, s->subband_num);
             if (data < 3) {
                 av_log(avctx, AV_LOG_ERROR, "Invalid highpass width\n");
                 ret = AVERROR(EINVAL);
                 break;
             }
+            s->plane[s->channel_num].band[s->level][s->subband_num].width  = data;
+            s->plane[s->channel_num].band[s->level][s->subband_num].stride = FFALIGN(data, 8);
         } else if (tag == 42) {
-            s->plane[s->channel_num].band[s->level][s->subband_num].height = data;
             av_log(avctx, AV_LOG_DEBUG, "Highpass height %i\n", data);
             if (data < 3) {
                 av_log(avctx, AV_LOG_ERROR, "Invalid highpass height\n");
                 ret = AVERROR(EINVAL);
                 break;
             }
+            s->plane[s->channel_num].band[s->level][s->subband_num].height = data;
         } else if (tag == 49) {
-            s->plane[s->channel_num].band[s->level][s->subband_num].width  = data;
-            s->plane[s->channel_num].band[s->level][s->subband_num].stride = FFALIGN(data, 8);
             av_log(avctx, AV_LOG_DEBUG, "Highpass width2 %i\n", data);
             if (data < 3) {
                 av_log(avctx, AV_LOG_ERROR, "Invalid highpass width2\n");
                 ret = AVERROR(EINVAL);
                 break;
             }
+            s->plane[s->channel_num].band[s->level][s->subband_num].width  = data;
+            s->plane[s->channel_num].band[s->level][s->subband_num].stride = FFALIGN(data, 8);
         } else if (tag == 50) {
-            s->plane[s->channel_num].band[s->level][s->subband_num].height = data;
             av_log(avctx, AV_LOG_DEBUG, "Highpass height2 %i\n", data);
             if (data < 3) {
                 av_log(avctx, AV_LOG_ERROR, "Invalid highpass height2\n");
                 ret = AVERROR(EINVAL);
                 break;
             }
+            s->plane[s->channel_num].band[s->level][s->subband_num].height = data;
         } else if (tag == 71) {
             s->codebook = data;
             av_log(avctx, AV_LOG_DEBUG, "Codebook %i\n", s->codebook);
author	Michael Niedermayer <michael@niedermayer.cc>	2017-06-10 18:45:08 +0200
committer	Michael Niedermayer <michael@niedermayer.cc>	2017-06-20 02:05:08 +0200
commit	72b8c6c645da6580b1ddb0a79d061d2069347dd3 (patch)
tree	e6a83c6004f5cf26f4ab00069e5776fcf1040dc8
parent	2dcae36de1b85f8054a77c3b82f5640c7f10f384 (diff)
download	ffmpeg-72b8c6c645da6580b1ddb0a79d061d2069347dd3.tar.gz