diff options
| author | Michael Niedermayer <michael@niedermayer.cc> | 2023-01-11 23:05:55 +0100 |
|---|---|---|
| committer | Michael Niedermayer <michael@niedermayer.cc> | 2023-01-15 19:34:39 +0100 |
| commit | e7755b433e913e32bb061f17d5ecfcbcfef995b7 (patch) | |
| tree | b00b34f1c46ad8c2a3f8ba04e52200a11bc028aa /libavcodec | |
| parent | 2378cbe36bd5d42611bc62498cd25cb819f9034f (diff) | |
| download | ffmpeg-e7755b433e913e32bb061f17d5ecfcbcfef995b7.tar.gz | |
avcodec/eatgq: : Check index increments in tgq_decode_block()
Fixes: out of array access
Fixes: 48567/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EATGQ_fuzzer-6743211456724992
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Diffstat (limited to 'libavcodec')
| -rw-r--r-- | libavcodec/eatgq.c | 14 |
1 files changed, 11 insertions, 3 deletions
diff --git a/libavcodec/eatgq.c b/libavcodec/eatgq.c index 89e9f20880..01e1acd4e4 100644 --- a/libavcodec/eatgq.c +++ b/libavcodec/eatgq.c @@ -56,7 +56,7 @@ static av_cold int tgq_decode_init(AVCodecContext *avctx) return 0; } -static void tgq_decode_block(TgqContext *s, int16_t block[64], GetBitContext *gb) +static int tgq_decode_block(TgqContext *s, int16_t block[64], GetBitContext *gb) { const uint8_t *scantable = ff_zigzag_direct; int i, j, value; @@ -64,6 +64,8 @@ static void tgq_decode_block(TgqContext *s, int16_t block[64], GetBitContext *gb for (i = 1; i < 64;) { switch (show_bits(gb, 3)) { case 4: + if (i >= 63) + return AVERROR_INVALIDDATA; block[scantable[i++]] = 0; case 0: block[scantable[i++]] = 0; @@ -73,6 +75,8 @@ static void tgq_decode_block(TgqContext *s, int16_t block[64], GetBitContext *gb case 1: skip_bits(gb, 2); value = get_bits(gb, 6); + if (value > 64 - i) + return AVERROR_INVALIDDATA; for (j = 0; j < value; j++) block[scantable[i++]] = 0; break; @@ -100,6 +104,7 @@ static void tgq_decode_block(TgqContext *s, int16_t block[64], GetBitContext *gb } } block[0] += 128 << 4; + return 0; } static void tgq_idct_put_mb(TgqContext *s, int16_t (*block)[64], AVFrame *frame, @@ -160,8 +165,11 @@ static int tgq_decode_mb(TgqContext *s, GetByteContext *gbyte, if (ret < 0) return ret; - for (i = 0; i < 6; i++) - tgq_decode_block(s, s->block[i], &gb); + for (i = 0; i < 6; i++) { + int ret = tgq_decode_block(s, s->block[i], &gb); + if (ret < 0) + return ret; + } tgq_idct_put_mb(s, s->block, frame, mb_x, mb_y); bytestream2_skip(gbyte, mode); } else { |