[FFmpeg-cvslog] avcodec/jpegxl_parser: Check for ctx->skip overflow

Michael Niedermayer git at videolan.org
Thu Sep 14 23:00:54 EEST 2023


ffmpeg | branch: master | Michael Niedermayer <michael at niedermayer.cc> | Sun Sep 10 02:37:47 2023 +0200| [ca09d8a0dcd82e3128e62463231296aaf63ae6f7] | committer: Michael Niedermayer

avcodec/jpegxl_parser: Check for ctx->skip overflow

Fixes: out of array access
Fixes: 62113/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5025082076168192

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=ca09d8a0dcd82e3128e62463231296aaf63ae6f7
---

 libavcodec/jpegxl_parser.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/jpegxl_parser.c b/libavcodec/jpegxl_parser.c
index 4010bc713a..6656ed35c5 100644
--- a/libavcodec/jpegxl_parser.c
+++ b/libavcodec/jpegxl_parser.c
@@ -1326,7 +1326,7 @@ static int skip_boxes(JXLParseContext *ctx, const uint8_t *buf, int buf_size)
         if (!size)
             return AVERROR_INVALIDDATA;
         /* invalid ISOBMFF size */
-        if (size <= head_size + 4)
+        if (size <= head_size + 4 || size > INT_MAX - ctx->skip)
             return AVERROR_INVALIDDATA;
 
         ctx->skip += size;



More information about the ffmpeg-cvslog mailing list