mirror of https://git.ffmpeg.org/ffmpeg.git
avcodec/lagarith: Check that the range coded data stream is consistent when the probabilities indicate no data could have been coded.
Fixes: Timeout Fixes: 8638/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_LAGARITH_fuzzer-5132046098759680 Fixes: 8943/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_LAGARITH_fuzzer-4883030219948032 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
parent
7334985ffa
commit
8d21ab4d12
|
@ -141,6 +141,7 @@ static int lag_read_prob_header(lag_rac *rac, GetBitContext *gb)
|
|||
unsigned prob, cumulative_target;
|
||||
unsigned cumul_prob = 0;
|
||||
unsigned scaled_cumul_prob = 0;
|
||||
int nnz = 0;
|
||||
|
||||
rac->prob[0] = 0;
|
||||
rac->prob[257] = UINT_MAX;
|
||||
|
@ -164,6 +165,8 @@ static int lag_read_prob_header(lag_rac *rac, GetBitContext *gb)
|
|||
prob = 256 - i;
|
||||
for (j = 0; j < prob; j++)
|
||||
rac->prob[++i] = 0;
|
||||
}else {
|
||||
nnz++;
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -172,6 +175,10 @@ static int lag_read_prob_header(lag_rac *rac, GetBitContext *gb)
|
|||
return -1;
|
||||
}
|
||||
|
||||
if (nnz == 1 && (show_bits_long(gb, 32) & 0xFFFFFF)) {
|
||||
return AVERROR_INVALIDDATA;
|
||||
}
|
||||
|
||||
/* Scale probabilities so cumulative probability is an even power of 2. */
|
||||
scale_factor = av_log2(cumul_prob);
|
||||
|
||||
|
|
Loading…
Reference in New Issue