RepoMirrors
/
ffmpeg
mirror of https://git.ffmpeg.org/ffmpeg.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

avcodec/vqcdec: Check for end of input in decode_vectors() 

Fixes: Timeout
Fixes: 52695/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VQC_fuzzer-4882310386548736

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: Peter Ross <pross@xvid.org>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
Michael Niedermayer 2022-11-18 21:08:44 +01:00
parent 6634b6ae5f
commit 0871cb9499
No known key found for this signature in database
GPG Key ID: B18E8928B3948D64
1 changed files with 10 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
libavcodec/vqcdec.c
View File

@ -137,7 +137,7 @@ static void seed_codebooks(VqcContext * s, const int * seed)
} }
} }
static void decode_vectors(VqcContext * s, const uint8_t * buf, int size, int width, int height) static int decode_vectors(VqcContext * s, const uint8_t * buf, int size, int width, int height)
{ {
GetBitContext gb; GetBitContext gb;
uint8_t * vectors = s->vectors; uint8_t * vectors = s->vectors;
@ -155,9 +155,11 @@ static void decode_vectors(VqcContext * s, const uint8_t * buf, int size, int wi
*dst++ = get_bits(&gb, 8); *dst++ = get_bits(&gb, 8);
while (show_bits(&gb, 2) != 2) { while (show_bits(&gb, 2) != 2) {
if (dst >= vectors_end - 1) if (dst >= vectors_end - 1)
return; return 0;
if (get_bits_left(&gb) < 4)
return AVERROR_INVALIDDATA;
if (!show_bits(&gb, 4)) { if (!show_bits(&gb, 4)) {
*dst++ = 0; *dst++ = 0;
@ -182,6 +184,8 @@ static void decode_vectors(VqcContext * s, const uint8_t * buf, int size, int wi
skip_bits(&gb, 2); skip_bits(&gb, 2);
vectors += 32; vectors += 32;
} }
return 0;
} }
static void load_coeffs(VqcContext * s, const uint8_t * v, int width, int coeff_width) static void load_coeffs(VqcContext * s, const uint8_t * v, int width, int coeff_width)
@ -392,7 +396,9 @@ static int vqc_decode_frame(AVCodecContext *avctx, AVFrame * rframe,
avpriv_request_sample(avctx, "gamma=0x%x, contrast=0x%x\n", gamma, contrast); avpriv_request_sample(avctx, "gamma=0x%x, contrast=0x%x\n", gamma, contrast);
seed_codebooks(s, seed); seed_codebooks(s, seed);
decode_vectors(s, buf + 7, avpkt->size - 7, avctx->width, avctx->height); ret = decode_vectors(s, buf + 7, avpkt->size - 7, avctx->width, avctx->height);
if (ret < 0)
return ret;
decode_frame(s, avctx->width, avctx->height); decode_frame(s, avctx->width, avctx->height);
if ((ret = av_frame_ref(rframe, s->frame)) < 0) if ((ret = av_frame_ref(rframe, s->frame)) < 0)