diff options
author | Michael Niedermayer <michael@niedermayer.cc> | 2017-05-20 23:01:04 +0200 |
---|---|---|
committer | Michael Niedermayer <michael@niedermayer.cc> | 2017-06-03 23:30:31 +0200 |
commit | 361e0310d95bf2a0377f168518d1135ae15ca3f8 (patch) | |
tree | dba8471e8f75d48c9caf6c3b99b213ff7fa27b29 | |
parent | 53e0d5d7247548743e13c59c35e59fc2161e9582 (diff) | |
download | ffmpeg-streaming-361e0310d95bf2a0377f168518d1135ae15ca3f8.zip ffmpeg-streaming-361e0310d95bf2a0377f168518d1135ae15ca3f8.tar.gz |
avcodec/mlpdec: Check quant_step_size against huff_lsbs
This reorders the operations so as to avoid computations with the above arguments
before they have been initialized.
Fixes part of 1708/clusterfuzz-testcase-minimized-5035111957397504
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
-rw-r--r-- | libavcodec/mlpdec.c | 34 |
1 files changed, 25 insertions, 9 deletions
diff --git a/libavcodec/mlpdec.c b/libavcodec/mlpdec.c index 0b0f836..d5585d3 100644 --- a/libavcodec/mlpdec.c +++ b/libavcodec/mlpdec.c @@ -829,8 +829,6 @@ static int read_channel_params(MLPDecodeContext *m, unsigned int substr, return AVERROR_INVALIDDATA; } - cp->sign_huff_offset = calculate_sign_huff(m, substr, ch); - return 0; } @@ -842,7 +840,8 @@ static int read_decoding_params(MLPDecodeContext *m, GetBitContext *gbp, { SubStream *s = &m->substream[substr]; unsigned int ch; - int ret; + int ret = 0; + unsigned recompute_sho = 0; if (s->param_presence_flags & PARAM_PRESENCE) if (get_bits1(gbp)) @@ -882,19 +881,36 @@ static int read_decoding_params(MLPDecodeContext *m, GetBitContext *gbp, if (s->param_presence_flags & PARAM_QUANTSTEP) if (get_bits1(gbp)) for (ch = 0; ch <= s->max_channel; ch++) { - ChannelParams *cp = &s->channel_params[ch]; - s->quant_step_size[ch] = get_bits(gbp, 4); - cp->sign_huff_offset = calculate_sign_huff(m, substr, ch); + recompute_sho |= 1<<ch; } for (ch = s->min_channel; ch <= s->max_channel; ch++) - if (get_bits1(gbp)) + if (get_bits1(gbp)) { + recompute_sho |= 1<<ch; if ((ret = read_channel_params(m, substr, gbp, ch)) < 0) - return ret; + goto fail; + } - return 0; + +fail: + for (ch = 0; ch <= s->max_channel; ch++) { + if (recompute_sho & (1<<ch)) { + ChannelParams *cp = &s->channel_params[ch]; + + if (cp->codebook > 0 && cp->huff_lsbs < s->quant_step_size[ch]) { + if (ret >= 0) { + av_log(m->avctx, AV_LOG_ERROR, "quant_step_size larger than huff_lsbs\n"); + ret = AVERROR_INVALIDDATA; + } + s->quant_step_size[ch] = 0; + } + + cp->sign_huff_offset = calculate_sign_huff(m, substr, ch); + } + } + return ret; } #define MSB_MASK(bits) (-1u << (bits)) |