diff options
| author | Michael Niedermayer <michael@niedermayer.cc> | 2020-06-11 22:45:27 +0200 |
|---|---|---|
| committer | Michael Niedermayer <michael@niedermayer.cc> | 2020-06-14 19:17:07 +0200 |
| commit | c579ceffbe30d048c7448c5e9238fc52094de630 (patch) | |
| tree | 9cc2c9f95c294ee6c070510225980411345e9b86 | |
| parent | 04ddace9e880172a5206e931fd12ce98662e1f6d (diff) | |
| download | ffmpeg-c579ceffbe30d048c7448c5e9238fc52094de630.tar.gz | |
avcodec/jpeg2000dec: Fix/check for multiple integer overflows
Fixes: shift exponent 35 is too large for 32-bit type 'int'
Fixes: 22857/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEG2000_fuzzer-5202709358837760
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
| -rw-r--r-- | libavcodec/jpeg2000dec.c | 19 |
1 files changed, 13 insertions, 6 deletions
diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c index b7766459c4..ab36009a2d 100644 --- a/libavcodec/jpeg2000dec.c +++ b/libavcodec/jpeg2000dec.c @@ -612,12 +612,19 @@ static int get_rgn(Jpeg2000DecoderContext *s, int n) // Currently compno cannot be greater than 4. // However, future implementation should support compno up to 65536 if (compno < s->ncomponents) { - if (s->curtileno == -1) - s->roi_shift[compno] = bytestream2_get_byte(&s->g); - else { + int v; + if (s->curtileno == -1) { + v = bytestream2_get_byte(&s->g); + if (v > 30) + return AVERROR_PATCHWELCOME; + s->roi_shift[compno] = v; + } else { if (s->tile[s->curtileno].tp_idx != 0) return AVERROR_INVALIDDATA; // marker occurs only in first tile part of tile - s->tile[s->curtileno].comp[compno].roi_shift = bytestream2_get_byte(&s->g); + v = bytestream2_get_byte(&s->g); + if (v > 30) + return AVERROR_PATCHWELCOME; + s->tile[s->curtileno].comp[compno].roi_shift = v; } return 0; } @@ -1669,8 +1676,8 @@ static int decode_cblk(Jpeg2000DecoderContext *s, Jpeg2000CodingStyle *codsty, ff_mqc_initdec(&t1->mqc, cblk->data, 0, 1); while (passno--) { - if (bpno < 0) { - av_log(s->avctx, AV_LOG_ERROR, "bpno became negative\n"); + if (bpno < 0 || bpno > 29) { + av_log(s->avctx, AV_LOG_ERROR, "bpno became invalid\n"); return AVERROR_INVALIDDATA; } switch(pass_t) { |