[FFmpeg-devel] [PATCH 1/5] avcodec/atrac9dec: Check precision_fine/coarse

Michael Niedermayer michael at niedermayer.cc
Sat Oct 19 23:39:46 EEST 2019


I do not know if this or some clipping or other is the best course of action.
I have only a fuzzed file which triggers this and neither reference code nor
specification which would document what to do.
If someone has some reference please reply

Fixes: out of array access
Fixes: 18330/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ATRAC9_fuzzer-5641113058148352

Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
---
 libavcodec/atrac9dec.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/libavcodec/atrac9dec.c b/libavcodec/atrac9dec.c
index 46e60ca998..0a249cf319 100644
--- a/libavcodec/atrac9dec.c
+++ b/libavcodec/atrac9dec.c
@@ -142,7 +142,7 @@ static inline int parse_gradient(ATRAC9Context *s, ATRAC9BlockData *b,
     return 0;
 }
 
-static inline void calc_precision(ATRAC9Context *s, ATRAC9BlockData *b,
+static inline int calc_precision(ATRAC9Context *s, ATRAC9BlockData *b,
                                   ATRAC9ChannelData *c)
 {
     memset(c->precision_mask, 0, sizeof(c->precision_mask));
@@ -187,10 +187,13 @@ static inline void calc_precision(ATRAC9Context *s, ATRAC9BlockData *b,
     for (int i = 0; i < b->q_unit_cnt; i++) {
         c->precision_fine[i] = 0;
         if (c->precision_coarse[i] > 15) {
+            if (c->precision_coarse[i] > 30)
+                return AVERROR_INVALIDDATA;
             c->precision_fine[i] = c->precision_coarse[i] - 15;
             c->precision_coarse[i] = 15;
         }
     }
+    return 0;
 }
 
 static inline int parse_band_ext(ATRAC9Context *s, ATRAC9BlockData *b,
@@ -734,7 +737,9 @@ static int atrac9_decode_block(ATRAC9Context *s, GetBitContext *gb,
         if (read_scalefactors(s, b, c, gb, i, first_in_pkt))
             return AVERROR_INVALIDDATA;
 
-        calc_precision    (s, b, c);
+        if (calc_precision(s, b, c))
+            return AVERROR_INVALIDDATA;
+
         calc_codebook_idx (s, b, c);
         read_coeffs_coarse(s, b, c, gb);
         read_coeffs_fine  (s, b, c, gb);
-- 
2.23.0



More information about the ffmpeg-devel mailing list