aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMichael Niedermayer <michael@niedermayer.cc>2018-06-14 22:16:52 +0200
committerMichael Niedermayer <michael@niedermayer.cc>2018-07-15 19:42:25 +0200
commit8d21ab4d128ddae03fe6b21542c29dee240151db (patch)
treebee04bb73a693a7f4597dae7247356c151a94339
parent7334985ffae8067b84884b5bd345db06fe2cc220 (diff)
downloadffmpeg-8d21ab4d128ddae03fe6b21542c29dee240151db.tar.gz
avcodec/lagarith: Check that the range coded data stream is consistent when the probabilities indicate no data could have been coded.
Fixes: Timeout Fixes: 8638/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_LAGARITH_fuzzer-5132046098759680 Fixes: 8943/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_LAGARITH_fuzzer-4883030219948032 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Diffstat
-rw-r--r--libavcodec/lagarith.c7
1 files changed, 7 insertions, 0 deletions
diff --git a/libavcodec/lagarith.c b/libavcodec/lagarith.c
index 0f4aa89486..ba2da2eeb2 100644
--- a/libavcodec/lagarith.c
+++ b/libavcodec/lagarith.c
@@ -141,6 +141,7 @@ static int lag_read_prob_header(lag_rac *rac, GetBitContext *gb)
unsigned prob, cumulative_target;
unsigned cumul_prob = 0;
unsigned scaled_cumul_prob = 0;
+ int nnz = 0;
rac->prob[0] = 0;
rac->prob[257] = UINT_MAX;
@@ -164,6 +165,8 @@ static int lag_read_prob_header(lag_rac *rac, GetBitContext *gb)
prob = 256 - i;
for (j = 0; j < prob; j++)
rac->prob[++i] = 0;
+ }else {
+ nnz++;
}
}
@@ -172,6 +175,10 @@ static int lag_read_prob_header(lag_rac *rac, GetBitContext *gb)
return -1;
}
+ if (nnz == 1 && (show_bits_long(gb, 32) & 0xFFFFFF)) {
+ return AVERROR_INVALIDDATA;
+ }
+
/* Scale probabilities so cumulative probability is an even power of 2. */
scale_factor = av_log2(cumul_prob);
generated by cgit v1.2.3 (git 2.25.1) at 2025-02-16 18:58:17 +0000