diff options
| author | Michael Niedermayer <michael@niedermayer.cc> | 2023-01-11 23:05:55 +0100 |
|---|---|---|
| committer | Michael Niedermayer <michael@niedermayer.cc> | 2023-02-22 00:42:22 +0100 |
| commit | a34fe535e41162041f47b4c2baa37d33c7949f67 (patch) | |
| tree | ef56409687e592190fab1f8fdfe38072ca798726 | |
| parent | d78fe4d3fb670f55da9661f6fd59b1e036c5c0a0 (diff) | |
| download | ffmpeg-a34fe535e41162041f47b4c2baa37d33c7949f67.tar.gz | |
avcodec/eatgq: : Check index increments in tgq_decode_block()
Fixes: out of array access
Fixes: 48567/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EATGQ_fuzzer-6743211456724992
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit e7755b433e913e32bb061f17d5ecfcbcfef995b7)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
| -rw-r--r-- | libavcodec/eatgq.c | 14 |
1 files changed, 11 insertions, 3 deletions
diff --git a/libavcodec/eatgq.c b/libavcodec/eatgq.c index 2e9d2fe13c..eca93fd8a2 100644 --- a/libavcodec/eatgq.c +++ b/libavcodec/eatgq.c @@ -62,7 +62,7 @@ static av_cold int tgq_decode_init(AVCodecContext *avctx) return 0; } -static void tgq_decode_block(TgqContext *s, int16_t block[64], GetBitContext *gb) +static int tgq_decode_block(TgqContext *s, int16_t block[64], GetBitContext *gb) { uint8_t *perm = s->scantable.permutated; int i, j, value; @@ -70,6 +70,8 @@ static void tgq_decode_block(TgqContext *s, int16_t block[64], GetBitContext *gb for (i = 1; i < 64;) { switch (show_bits(gb, 3)) { case 4: + if (i >= 63) + return AVERROR_INVALIDDATA; block[perm[i++]] = 0; case 0: block[perm[i++]] = 0; @@ -79,6 +81,8 @@ static void tgq_decode_block(TgqContext *s, int16_t block[64], GetBitContext *gb case 1: skip_bits(gb, 2); value = get_bits(gb, 6); + if (value > 64 - i) + return AVERROR_INVALIDDATA; for (j = 0; j < value; j++) block[perm[i++]] = 0; break; @@ -106,6 +110,7 @@ static void tgq_decode_block(TgqContext *s, int16_t block[64], GetBitContext *gb } } block[0] += 128 << 4; + return 0; } static void tgq_idct_put_mb(TgqContext *s, int16_t (*block)[64], AVFrame *frame, @@ -165,8 +170,11 @@ static int tgq_decode_mb(TgqContext *s, AVFrame *frame, int mb_y, int mb_x) if (ret < 0) return ret; - for (i = 0; i < 6; i++) - tgq_decode_block(s, s->block[i], &gb); + for (i = 0; i < 6; i++) { + int ret = tgq_decode_block(s, s->block[i], &gb); + if (ret < 0) + return ret; + } tgq_idct_put_mb(s, s->block, frame, mb_x, mb_y); bytestream2_skip(&s->gb, mode); } else { |