[FFmpeg-cvslog] avcodec/jpeg2000dec: Check remaining data in packed_headers_stream before use
Michael Niedermayer
git at videolan.org
Mon Aug 10 16:42:26 EEST 2020
ffmpeg | branch: master | Michael Niedermayer <michael at niedermayer.cc> | Sun Aug 2 01:15:34 2020 +0200| [a5ac81952e8ea3b071190d36a41b7bab4e957f66] | committer: Michael Niedermayer
avcodec/jpeg2000dec: Check remaining data in packed_headers_stream before use
Fixes: out of array read
Fixes: 24487/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEG2000_fuzzer-5165847820369920
Fixes: 24636/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEG2000_fuzzer-5700973918683136
Fixes: 24683/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEG2000_fuzzer-6202883897556992
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=a5ac81952e8ea3b071190d36a41b7bab4e957f66
---
libavcodec/jpeg2000dec.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c
index a4c20f45c5..624542c2f8 100644
--- a/libavcodec/jpeg2000dec.c
+++ b/libavcodec/jpeg2000dec.c
@@ -2184,7 +2184,9 @@ static int jpeg2000_read_main_headers(Jpeg2000DecoderContext *s)
}
if (s->has_ppm) {
- uint32_t tp_header_size = bytestream2_get_be32u(&s->packed_headers_stream);
+ uint32_t tp_header_size = bytestream2_get_be32(&s->packed_headers_stream);
+ if (bytestream2_get_bytes_left(&s->packed_headers_stream) < tp_header_size)
+ return AVERROR_INVALIDDATA;
bytestream2_init(&tp->header_tpg, s->packed_headers_stream.buffer, tp_header_size);
bytestream2_skip(&s->packed_headers_stream, tp_header_size);
}
More information about the ffmpeg-cvslog
mailing list