RepoMirrors
/
ffmpeg
mirror of https://git.ffmpeg.org/ffmpeg.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

avcodec/scpr3: Fix out of array access with dectab 

Fixes: 23721/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_SCPR_fuzzer-5914074721550336

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit c8de8dfba6)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
Michael Niedermayer 2020-07-01 23:31:47 +02:00
parent 2cebde69e0
commit a957f43072
1 changed files with 14 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
libavcodec/scpr3.c
View File

@ -234,6 +234,8 @@ static int update_model6_to_7(PixelModel3 *m)
}
p = (e + 127) >> 7;
k = ((f + e - 1) >> 7) + 1;
if (k > FF_ARRAY_ELEMS(n.dectab))
return AVERROR_INVALIDDATA;
for (i = 0; i < k - p; i++)
n.dectab[p + i] = j;
e += f;
@ -702,7 +704,11 @@ static int update_model3_to_7(PixelModel3 *m, uint8_t value)
e = d;
n.cntsum += n.cnts[e];
n.freqs1[e] = c;
for (g = n.freqs[e], q = c + 128 - 1 >> 7, f = (c + g - 1 >> 7) + 1; q < f; q++) {
g = n.freqs[e];
f = (c + g - 1 >> 7) + 1;
if (f > FF_ARRAY_ELEMS(n.dectab))
return AVERROR_INVALIDDATA;
for (q = c + 128 - 1 >> 7; q < f; q++) {
n.dectab[q] = e;
}
c += g;
@ -837,6 +843,7 @@ static int decode_unit3(SCPRContext *s, PixelModel3 *m, uint32_t code, uint32_t
uint16_t a = 0, b = 0;
uint32_t param;
int type;
int ret;
type = m->type;
switch (type) {
@ -859,7 +866,9 @@ static int decode_unit3(SCPRContext *s, PixelModel3 *m, uint32_t code, uint32_t
break;
case 3:
*value = bytestream2_get_byte(&s->gb);
decode_static3(m, *value);
ret = decode_static3(m, *value);
if (ret < 0)
return AVERROR_INVALIDDATA;
sync_code3(gb, rc);
break;
case 4:
@ -877,7 +886,9 @@ static int decode_unit3(SCPRContext *s, PixelModel3 *m, uint32_t code, uint32_t
break;
case 6:
if (!decode_adaptive6(m, code, value, &a, &b)) {
update_model6_to_7(m);
ret = update_model6_to_7(m);
if (ret < 0)
return AVERROR_INVALIDDATA;
}
decode3(gb, rc, a, b);
sync_code3(gb, rc);