[FFmpeg-devel] [PATCH] avcodec/lagarith: Check that the range coded data stream is consistent when the probabilities indicate no data could have been coded.

Michael Niedermayer michael at niedermayer.cc
Fri Jun 15 00:12:09 EEST 2018


Fixes: Timeout
Fixes: 8638/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_LAGARITH_fuzzer-5132046098759680

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
---
 libavcodec/lagarith.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/libavcodec/lagarith.c b/libavcodec/lagarith.c
index 0f4aa89486..ba2da2eeb2 100644
--- a/libavcodec/lagarith.c
+++ b/libavcodec/lagarith.c
@@ -141,6 +141,7 @@ static int lag_read_prob_header(lag_rac *rac, GetBitContext *gb)
     unsigned prob, cumulative_target;
     unsigned cumul_prob = 0;
     unsigned scaled_cumul_prob = 0;
+    int nnz = 0;
 
     rac->prob[0] = 0;
     rac->prob[257] = UINT_MAX;
@@ -164,6 +165,8 @@ static int lag_read_prob_header(lag_rac *rac, GetBitContext *gb)
                 prob = 256 - i;
             for (j = 0; j < prob; j++)
                 rac->prob[++i] = 0;
+        }else {
+            nnz++;
         }
     }
 
@@ -172,6 +175,10 @@ static int lag_read_prob_header(lag_rac *rac, GetBitContext *gb)
         return -1;
     }
 
+    if (nnz == 1 && (show_bits_long(gb, 32) & 0xFFFFFF)) {
+        return AVERROR_INVALIDDATA;
+    }
+
     /* Scale probabilities so cumulative probability is an even power of 2. */
     scale_factor = av_log2(cumul_prob);
 
-- 
2.17.1



More information about the ffmpeg-devel mailing list