RepoMirrors/ffmpeg
1
0
Fork 0
mirror of https://git.ffmpeg.org/ffmpeg.git synced 2025-03-31 23:59:34 +00:00
Code Issues Projects Releases Wiki Activity

avcodec/jpegxl_parser: check entropy_decoder_read_symbol return value

Browse Source 
Found by OSS-Fuzz.

Signed-off-by: Kacper Michajłow <kasper93@gmail.com>
This commit is contained in:
Kacper Michajłow 2024-11-01 13:50:38 +01:00 committed by Leo Izen
parent c845a07302
commit 7b20985d8d
No known key found for this signature in database
GPG Key ID: 764E48EA48221833
1 changed files with 3 additions and 3 deletions

6
libavcodec/jpegxl_parser.c
View File

@ -1311,7 +1311,7 @@ static int parse_frame_header(void *avctx, JXLParseContext *ctx, GetBitContext *
// permuted toc // permuted toc
if (get_bits1(gb)) { if (get_bits1(gb)) {
JXLEntropyDecoder dec; JXLEntropyDecoder dec;
uint32_t end, lehmer = 0; int64_t end, lehmer = 0;
ret = entropy_decoder_init(avctx, gb, &dec, 8); ret = entropy_decoder_init(avctx, gb, &dec, 8);
if (ret < 0) if (ret < 0)
return ret; return ret;
@ -1320,13 +1320,13 @@ static int parse_frame_header(void *avctx, JXLParseContext *ctx, GetBitContext *
return AVERROR_BUFFER_TOO_SMALL; return AVERROR_BUFFER_TOO_SMALL;
} }
end = entropy_decoder_read_symbol(gb, &dec, toc_context(toc_count)); end = entropy_decoder_read_symbol(gb, &dec, toc_context(toc_count));
if (end > toc_count) { if (end < 0 || end > toc_count) {
entropy_decoder_close(&dec); entropy_decoder_close(&dec);
return AVERROR_INVALIDDATA; return AVERROR_INVALIDDATA;
} }
for (uint32_t i = 0; i < end; i++) { for (uint32_t i = 0; i < end; i++) {
lehmer = entropy_decoder_read_symbol(gb, &dec, toc_context(lehmer)); lehmer = entropy_decoder_read_symbol(gb, &dec, toc_context(lehmer));
if (get_bits_left(gb) < 0) { if (lehmer < 0 || get_bits_left(gb) < 0) {
entropy_decoder_close(&dec); entropy_decoder_close(&dec);
return AVERROR_BUFFER_TOO_SMALL; return AVERROR_BUFFER_TOO_SMALL;
} }