har0ke/FFmpeg
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

avcodec/jpeg2000htdec: Check magp before using it in a shift

Browse Source 
Fixes: shift exponent -1 is negative
Fixes: 65378/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEG2000_fuzzer-5457678193197056

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 19ad05e9e0f045b13de8de7300ca3bd34ea8ca53)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
Michael Niedermayer 2024-03-20 03:27:13 +01:00
parent 7570390be6
commit cc9d291fb0
No known key found for this signature in database
GPG Key ID: B18E8928B3948D64
1 changed files with 12 additions and 4 deletions

16
libavcodec/jpeg2000dec.c

@ -1885,7 +1885,7 @@ static inline void roi_scale_cblk(Jpeg2000Cblk *cblk,
} }
} }
static inline void tile_codeblocks(const Jpeg2000DecoderContext *s, Jpeg2000Tile *tile) static inline int tile_codeblocks(const Jpeg2000DecoderContext *s, Jpeg2000Tile *tile)
{ {
Jpeg2000T1Context t1; Jpeg2000T1Context t1;
@ -1910,6 +1910,8 @@ static inline void tile_codeblocks(const Jpeg2000DecoderContext *s, Jpeg2000Tile
int nb_precincts, precno; int nb_precincts, precno;
Jpeg2000Band *band = rlevel->band + bandno; Jpeg2000Band *band = rlevel->band + bandno;
int cblkno = 0, bandpos; int cblkno = 0, bandpos;
/* See Rec. ITU-T T.800, Equation E-2 */
int magp = quantsty->expn[subbandno] + quantsty->nguardbits - 1;
bandpos = bandno + (reslevelno > 0); bandpos = bandno + (reslevelno > 0);
@ -1917,6 +1919,11 @@ static inline void tile_codeblocks(const Jpeg2000DecoderContext *s, Jpeg2000Tile
band->coord[1][0] == band->coord[1][1]) band->coord[1][0] == band->coord[1][1])
continue; continue;
if ((codsty->cblk_style & JPEG2000_CTSY_HTJ2K_F) && magp >= 31) {
avpriv_request_sample(s->avctx, "JPEG2000_CTSY_HTJ2K_F and magp >= 31");
return AVERROR_PATCHWELCOME;
}
nb_precincts = rlevel->num_precincts_x * rlevel->num_precincts_y; nb_precincts = rlevel->num_precincts_x * rlevel->num_precincts_y;
/* Loop on precincts */ /* Loop on precincts */
for (precno = 0; precno < nb_precincts; precno++) { for (precno = 0; precno < nb_precincts; precno++) {
@ -1927,8 +1934,6 @@ static inline void tile_codeblocks(const Jpeg2000DecoderContext *s, Jpeg2000Tile
cblkno < prec->nb_codeblocks_width * prec->nb_codeblocks_height; cblkno < prec->nb_codeblocks_width * prec->nb_codeblocks_height;
cblkno++) { cblkno++) {
int x, y, ret; int x, y, ret;
/* See Rec. ITU-T T.800, Equation E-2 */
int magp = quantsty->expn[subbandno] + quantsty->nguardbits - 1;
Jpeg2000Cblk *cblk = prec->cblk + cblkno; Jpeg2000Cblk *cblk = prec->cblk + cblkno;
@ -1968,6 +1973,7 @@ static inline void tile_codeblocks(const Jpeg2000DecoderContext *s, Jpeg2000Tile
ff_dwt_decode(&comp->dwt, codsty->transform == FF_DWT97 ? (void*)comp->f_data : (void*)comp->i_data); ff_dwt_decode(&comp->dwt, codsty->transform == FF_DWT97 ? (void*)comp->f_data : (void*)comp->i_data);
} /*end comp */ } /*end comp */
return 0;
} }
#define WRITE_FRAME(D, PIXEL) \ #define WRITE_FRAME(D, PIXEL) \
@ -2044,7 +2050,9 @@ static int jpeg2000_decode_tile(AVCodecContext *avctx, void *td,
AVFrame *picture = td; AVFrame *picture = td;
Jpeg2000Tile *tile = s->tile + jobnr; Jpeg2000Tile *tile = s->tile + jobnr;
tile_codeblocks(s, tile); int ret = tile_codeblocks(s, tile);
if (ret < 0)
return ret;
/* inverse MCT transformation */ /* inverse MCT transformation */
if (tile->codsty[0].mct) if (tile->codsty[0].mct)