[FFmpeg-cvslog] avcodec/dstdec: Check that AC probabilities are within range

Michael Niedermayer git at videolan.org
Sat Nov 9 18:10:27 EET 2019


ffmpeg | branch: master | Michael Niedermayer <michael at niedermayer.cc> | Tue Oct 15 23:42:50 2019 +0200| [0c3e1b395b47fac44397604b2a3343c4bd92561c] | committer: Michael Niedermayer

avcodec/dstdec: Check that AC probabilities are within range

ISO/IEC 14496-3:2005(E): "Each entry of P_one[ ][ ] is in the range of 1 to
128, corresponding to a probability of 1/256 to 128/256 of the next error bit (bit E, See Figure 10.5)..."

Fixes: Timeout (42sec ->1sec)
Fixes: 18181/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_DST_fuzzer-5736646250594304

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=0c3e1b395b47fac44397604b2a3343c4bd92561c
---

 libavcodec/dstdec.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/libavcodec/dstdec.c b/libavcodec/dstdec.c
index e0519d2a0b..ae3fe428dd 100644
--- a/libavcodec/dstdec.c
+++ b/libavcodec/dstdec.c
@@ -162,6 +162,10 @@ static int read_table(GetBitContext *gb, Table *t, const int8_t code_pred_coeff[
                     c -= (x + 4) / 8;
                 else
                     c += (-x + 3) / 8;
+                if (!is_signed) {
+                    if (c < offset || c >= offset + (1<<coeff_bits))
+                        return AVERROR_INVALIDDATA;
+                }
                 t->coeff[i][j] = c;
             }
         }



More information about the ffmpeg-cvslog mailing list