avformat/jpegxl_probe: check length instead of blindly reading

Enable the checked bitreader to avoid overread. Also add a few checks in loops and between blocks so we exit instead of continued execution. Alternatively we could add manual checks so that no overread can happen. This would be slightly faster but a bit more work and a bit more fragile Fixes: Out of array accesses Fixes: 59640/clusterfuzz-testcase-minimized-ffmpeg_dem_JPEGXL_ANIM_fuzzer-6584117345779712 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2023-06-08 10:26:34 -04:00 · 2023-06-08 10:26:34 -04:00 · 1ec4553e35
parent 25c937c0e0
commit 1ec4553e35
1 changed files with 13 additions and 1 deletions
--- a/libavformat/jpegxl_probe.c
+++ b/libavformat/jpegxl_probe.c
@ -21,6 +21,7 @@

 #include "jpegxl_probe.h"

+#define UNCHECKED_BITSTREAM_READER 0
 #define BITSTREAM_READER_LE
 #include "libavcodec/get_bits.h"

@ -293,6 +294,8 @@ int ff_jpegxl_verify_codestream_header(const uint8_t *buf, int buflen, int valid
            skip_bits_long(gb, 1);
        }
    }
+    if (get_bits_left(gb) < 1)
+        return AVERROR_INVALIDDATA;

    if (!all_default) {
        jpegxl_skip_bit_depth(gb);
@ -307,6 +310,8 @@ int ff_jpegxl_verify_codestream_header(const uint8_t *buf, int buflen, int valid
        for (uint32_t i = 0; i < num_extra_channels; i++) {
            if (jpegxl_read_extra_channel_info(gb, validate_level) < 0)
                return -1;
+            if (get_bits_left(gb) < 1)
+                return AVERROR_INVALIDDATA;
        }

        xyb_encoded = get_bits1(gb);
@ -336,8 +341,11 @@ int ff_jpegxl_verify_codestream_header(const uint8_t *buf, int buflen, int valid
                            return -1;
                        if (primaries == FF_JPEGXL_PR_CUSTOM) {
                            /* ux/uy values for r,g,b */
-                            for (int i = 0; i < 6; i++)
+                            for (int i = 0; i < 6; i++) {
                                jxl_u32(gb, 0, 524288, 1048576, 2097152, 19, 19, 20, 21);
+                                if (get_bits_left(gb) < 1)
+                                    return AVERROR_INVALIDDATA;
+                            }
                        }
                    }
                }
@ -363,10 +371,14 @@ int ff_jpegxl_verify_codestream_header(const uint8_t *buf, int buflen, int valid
            skip_bits_long(gb, 16 + 16 + 1 + 16);

        extensions = jpegxl_u64(gb);
+        if (get_bits_left(gb) < 1)
+            return AVERROR_INVALIDDATA;
        if (extensions) {
            for (int i = 0; i < 64; i++) {
                if (extensions & (UINT64_C(1) << i))
                    jpegxl_u64(gb);
+                if (get_bits_left(gb) < 1)
+                    return AVERROR_INVALIDDATA;
            }
        }
    }