From 77facc9a55750a8b4a20dbcf0c6745063bf18dd5 Mon Sep 17 00:00:00 2001 From: Leo Izen Date: Thu, 7 Nov 2024 11:31:49 -0500 Subject: [PATCH] avcodec/jpegxl_parser: fix reading lz77-pair as initial entropy symbol MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The JPEG XL parser has an entropy decoder inside, which supports LZ77 length-distance pairs. If the first symbol from the entropy stream is an LZ77 pair, the bitstream is invalid, so we should abort immediately rather than attempt to read it anyway (which would read from the uninitialized starting window). Reported-by: Kacper Michajłow Found-by: ossfuzz Fixes: 368725676/clusterfuzz-testcase-minimized-fuzzer_protocol_file-6022251122589696-cut Fixes: 42537758/clusterfuzz-testcase-minimized-fuzzer_protocol_file-5818969469026304-cut Signed-off-by: Leo Izen --- libavcodec/jpegxl_parser.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/jpegxl_parser.c b/libavcodec/jpegxl_parser.c index 746c429b9c..76122af54a 100644 --- a/libavcodec/jpegxl_parser.c +++ b/libavcodec/jpegxl_parser.c @@ -352,6 +352,8 @@ static int decode_hybrid_varlen_uint(GetBitContext *gb, JXLEntropyDecoder *dec, if (bundle->lz77_enabled && token >= bundle->lz77_min_symbol) { const JXLSymbolDistribution *lz77dist = &bundle->dists[bundle->cluster_map[bundle->num_dist - 1]]; + if (!dec->num_decoded) + return AVERROR_INVALIDDATA; ret = read_hybrid_uint(gb, &bundle->lz_len_conf, token - bundle->lz77_min_symbol, &dec->num_to_copy); if (ret < 0) return ret; @@ -531,6 +533,7 @@ static int read_dist_clustering(GetBitContext *gb, JXLEntropyDecoder *dec, JXLDi dec->state = -1; /* it's not going to necessarily be zero after reading */ dec->num_to_copy = 0; + dec->num_decoded = 0; dist_bundle_close(&nested); if (use_mtf) { uint8_t mtf[256];