[FFmpeg-cvslog] avcodec/dstdec: Check that AC probabilities are within range
Michael Niedermayer
git at videolan.org
Sat Nov 9 18:10:27 EET 2019
ffmpeg | branch: master | Michael Niedermayer <michael at niedermayer.cc> | Tue Oct 15 23:42:50 2019 +0200| [0c3e1b395b47fac44397604b2a3343c4bd92561c] | committer: Michael Niedermayer
avcodec/dstdec: Check that AC probabilities are within range
ISO/IEC 14496-3:2005(E): "Each entry of P_one[ ][ ] is in the range of 1 to
128, corresponding to a probability of 1/256 to 128/256 of the next error bit (bit E, See Figure 10.5)..."
Fixes: Timeout (42sec ->1sec)
Fixes: 18181/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DST_fuzzer-5736646250594304
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=0c3e1b395b47fac44397604b2a3343c4bd92561c
---
libavcodec/dstdec.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/libavcodec/dstdec.c b/libavcodec/dstdec.c
index e0519d2a0b..ae3fe428dd 100644
--- a/libavcodec/dstdec.c
+++ b/libavcodec/dstdec.c
@@ -162,6 +162,10 @@ static int read_table(GetBitContext *gb, Table *t, const int8_t code_pred_coeff[
c -= (x + 4) / 8;
else
c += (-x + 3) / 8;
+ if (!is_signed) {
+ if (c < offset || c >= offset + (1<<coeff_bits))
+ return AVERROR_INVALIDDATA;
+ }
t->coeff[i][j] = c;
}
}
More information about the ffmpeg-cvslog
mailing list