diff options
| author | Michael Niedermayer <michael@niedermayer.cc> | 2023-01-11 23:05:55 +0100 |
|---|---|---|
| committer | Michael Niedermayer <michael@niedermayer.cc> | 2023-04-07 23:40:40 +0200 |
| commit | 2ae1a70cd5603d887d92848767a859c0385c9644 (patch) | |
| tree | 9ba24ebf8c2c235d8dea0dba13934222de525c20 | |
| parent | 68da8e97032b2cf57749b0360b4767d934725c4d (diff) | |
| download | ffmpeg-2ae1a70cd5603d887d92848767a859c0385c9644.tar.gz | |
avcodec/eatgq: : Check index increments in tgq_decode_block()
Fixes: out of array access
Fixes: 48567/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_EATGQ_fuzzer-6743211456724992
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit e7755b433e913e32bb061f17d5ecfcbcfef995b7)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
| -rw-r--r-- | libavcodec/eatgq.c | 14 |
1 files changed, 11 insertions, 3 deletions
diff --git a/libavcodec/eatgq.c b/libavcodec/eatgq.c index 197ba6fc6e..85f40a5c54 100644 --- a/libavcodec/eatgq.c +++ b/libavcodec/eatgq.c @@ -61,7 +61,7 @@ static av_cold int tgq_decode_init(AVCodecContext *avctx) return 0; } -static void tgq_decode_block(TgqContext *s, int16_t block[64], GetBitContext *gb) +static int tgq_decode_block(TgqContext *s, int16_t block[64], GetBitContext *gb) { uint8_t *perm = s->scantable.permutated; int i, j, value; @@ -69,6 +69,8 @@ static void tgq_decode_block(TgqContext *s, int16_t block[64], GetBitContext *gb for (i = 1; i < 64;) { switch (show_bits(gb, 3)) { case 4: + if (i >= 63) + return AVERROR_INVALIDDATA; block[perm[i++]] = 0; case 0: block[perm[i++]] = 0; @@ -78,6 +80,8 @@ static void tgq_decode_block(TgqContext *s, int16_t block[64], GetBitContext *gb case 1: skip_bits(gb, 2); value = get_bits(gb, 6); + if (value > 64 - i) + return AVERROR_INVALIDDATA; for (j = 0; j < value; j++) block[perm[i++]] = 0; break; @@ -105,6 +109,7 @@ static void tgq_decode_block(TgqContext *s, int16_t block[64], GetBitContext *gb } } block[0] += 128 << 4; + return 0; } static void tgq_idct_put_mb(TgqContext *s, int16_t (*block)[64], AVFrame *frame, @@ -164,8 +169,11 @@ static int tgq_decode_mb(TgqContext *s, AVFrame *frame, int mb_y, int mb_x) if (ret < 0) return ret; - for (i = 0; i < 6; i++) - tgq_decode_block(s, s->block[i], &gb); + for (i = 0; i < 6; i++) { + int ret = tgq_decode_block(s, s->block[i], &gb); + if (ret < 0) + return ret; + } tgq_idct_put_mb(s, s->block, frame, mb_x, mb_y); bytestream2_skip(&s->gb, mode); } else { |