[FFmpeg-cvslog] avcodec/jpegxl_parser: fix reading lz77-pair as initial entropy symbol

Leo Izen git at videolan.org
Wed Nov 13 17:29:15 EET 2024 

ffmpeg | branch: release/7.1 | Leo Izen <leo.izen at gmail.com> | Thu Nov  7 11:31:49 2024 -0500| [11e8319b8ef0015e248ff3a400457ebdc0eb77b2] | committer: Leo Izen

avcodec/jpegxl_parser: fix reading lz77-pair as initial entropy symbol

The JPEG XL parser has an entropy decoder inside, which supports LZ77
length-distance pairs. If the first symbol from the entropy stream is an
LZ77 pair, the bitstream is invalid, so we should abort immediately rather
than attempt to read it anyway (which would read from the uninitialized
starting window).

Reported-by: Kacper Michajłow <kasper93 at gmail.com>
Found-by: ossfuzz
Fixes: 368725676/clusterfuzz-testcase-minimized-fuzzer_protocol_file-6022251122589696-cut
Fixes: 42537758/clusterfuzz-testcase-minimized-fuzzer_protocol_file-5818969469026304-cut
Signed-off-by: Leo Izen <leo.izen at gmail.com>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=11e8319b8ef0015e248ff3a400457ebdc0eb77b2
---

 libavcodec/jpegxl_parser.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/libavcodec/jpegxl_parser.c b/libavcodec/jpegxl_parser.c
index 746c429b9c..76122af54a 100644
--- a/libavcodec/jpegxl_parser.c
+++ b/libavcodec/jpegxl_parser.c
@@ -352,6 +352,8 @@ static int decode_hybrid_varlen_uint(GetBitContext *gb, JXLEntropyDecoder *dec,
 
     if (bundle->lz77_enabled && token >= bundle->lz77_min_symbol) {
         const JXLSymbolDistribution *lz77dist = &bundle->dists[bundle->cluster_map[bundle->num_dist - 1]];
+        if (!dec->num_decoded)
+            return AVERROR_INVALIDDATA;
         ret = read_hybrid_uint(gb, &bundle->lz_len_conf, token - bundle->lz77_min_symbol, &dec->num_to_copy);
         if (ret < 0)
             return ret;
@@ -531,6 +533,7 @@ static int read_dist_clustering(GetBitContext *gb, JXLEntropyDecoder *dec, JXLDi
         dec->state = -1;
         /* it's not going to necessarily be zero after reading */
         dec->num_to_copy = 0;
+        dec->num_decoded = 0;
         dist_bundle_close(&nested);
         if (use_mtf) {
             uint8_t mtf[256];

More information about the ffmpeg-cvslog mailing list