avcodec/jpeg2000htdec: Check magp before using it in a shift

Fixes: shift exponent -1 is negative Fixes: 65378/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEG2000_fuzzer-5457678193197056 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2024-03-20 03:27:13 +01:00 · 2024-03-20 03:27:13 +01:00 · 19ad05e9e0
parent 63f56c9943
commit 19ad05e9e0
1 changed files with 12 additions and 4 deletions
--- a/libavcodec/jpeg2000dec.c
+++ b/libavcodec/jpeg2000dec.c
@ -1886,7 +1886,7 @@ static inline void roi_scale_cblk(Jpeg2000Cblk *cblk,
    }
 }

-static inline void tile_codeblocks(const Jpeg2000DecoderContext *s, Jpeg2000Tile *tile)
+static inline int tile_codeblocks(const Jpeg2000DecoderContext *s, Jpeg2000Tile *tile)
 {
    Jpeg2000T1Context t1;

@ -1911,6 +1911,8 @@ static inline void tile_codeblocks(const Jpeg2000DecoderContext *s, Jpeg2000Tile
                int nb_precincts, precno;
                Jpeg2000Band *band = rlevel->band + bandno;
                int cblkno = 0, bandpos;
+                /* See Rec. ITU-T T.800, Equation E-2 */
+                int magp = quantsty->expn[subbandno] + quantsty->nguardbits - 1;

                bandpos = bandno + (reslevelno > 0);

@ -1918,6 +1920,11 @@ static inline void tile_codeblocks(const Jpeg2000DecoderContext *s, Jpeg2000Tile
                    band->coord[1][0] == band->coord[1][1])
                    continue;

+                if ((codsty->cblk_style & JPEG2000_CTSY_HTJ2K_F) && magp >= 31) {
+                    avpriv_request_sample(s->avctx, "JPEG2000_CTSY_HTJ2K_F and magp >= 31");
+                    return AVERROR_PATCHWELCOME;
+                }
+
                nb_precincts = rlevel->num_precincts_x * rlevel->num_precincts_y;
                /* Loop on precincts */
                for (precno = 0; precno < nb_precincts; precno++) {
@ -1928,8 +1935,6 @@ static inline void tile_codeblocks(const Jpeg2000DecoderContext *s, Jpeg2000Tile
                         cblkno < prec->nb_codeblocks_width * prec->nb_codeblocks_height;
                         cblkno++) {
                        int x, y, ret;
-                        /* See Rec. ITU-T T.800, Equation E-2 */
-                        int magp = quantsty->expn[subbandno] + quantsty->nguardbits - 1;

                        Jpeg2000Cblk *cblk = prec->cblk + cblkno;

@ -1969,6 +1974,7 @@ static inline void tile_codeblocks(const Jpeg2000DecoderContext *s, Jpeg2000Tile
            ff_dwt_decode(&comp->dwt, codsty->transform == FF_DWT97 ? (void*)comp->f_data : (void*)comp->i_data);

    } /*end comp */
+    return 0;
 }

 #define WRITE_FRAME(D, PIXEL)                                                                     \
@ -2045,7 +2051,9 @@ static int jpeg2000_decode_tile(AVCodecContext *avctx, void *td,
    AVFrame *picture = td;
    Jpeg2000Tile *tile = s->tile + jobnr;

-    tile_codeblocks(s, tile);
+    int ret = tile_codeblocks(s, tile);
+    if (ret < 0)
+        return ret;

    /* inverse MCT transformation */
    if (tile->codsty[0].mct)