Fixes: index 224 out of bounds for type 'uint8_t [224]' Fixes: 21534/clusterfuzz-testcase-minimized-ffmpeg_BSF_TRACE_HEADERS_fuzzer-6291612167831552 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
		
			
				
	
	
		
			197 lines
		
	
	
		
			4.6 KiB
		
	
	
	
		
			C
		
	
	
	
	
	
			
		
		
	
	
			197 lines
		
	
	
		
			4.6 KiB
		
	
	
	
		
			C
		
	
	
	
	
	
| /*
 | |
|  * This file is part of FFmpeg.
 | |
|  *
 | |
|  * FFmpeg is free software; you can redistribute it and/or
 | |
|  * modify it under the terms of the GNU Lesser General Public
 | |
|  * License as published by the Free Software Foundation; either
 | |
|  * version 2.1 of the License, or (at your option) any later version.
 | |
|  *
 | |
|  * FFmpeg is distributed in the hope that it will be useful,
 | |
|  * but WITHOUT ANY WARRANTY; without even the implied warranty of
 | |
|  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 | |
|  * Lesser General Public License for more details.
 | |
|  *
 | |
|  * You should have received a copy of the GNU Lesser General Public
 | |
|  * License along with FFmpeg; if not, write to the Free Software
 | |
|  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
 | |
|  */
 | |
| 
 | |
| static int FUNC(frame_header)(CodedBitstreamContext *ctx, RWContext *rw,
 | |
|                               JPEGRawFrameHeader *current)
 | |
| {
 | |
|     int err, i;
 | |
| 
 | |
|     HEADER("Frame Header");
 | |
| 
 | |
|     u(16, Lf, 8, 8 + 3 * JPEG_MAX_COMPONENTS);
 | |
| 
 | |
|     u(8,  P,  2, 16);
 | |
|     u(16, Y,  0, JPEG_MAX_HEIGHT);
 | |
|     u(16, X,  1, JPEG_MAX_WIDTH);
 | |
|     u(8,  Nf, 1, JPEG_MAX_COMPONENTS);
 | |
| 
 | |
|     for (i = 0; i < current->Nf; i++) {
 | |
|         us(8, C[i],  i, 0, JPEG_MAX_COMPONENTS);
 | |
|         us(4, H[i],  i, 1, 4);
 | |
|         us(4, V[i],  i, 1, 4);
 | |
|         us(8, Tq[i], i, 0, 3);
 | |
|     }
 | |
| 
 | |
|     return 0;
 | |
| }
 | |
| 
 | |
| static int FUNC(quantisation_table)(CodedBitstreamContext *ctx, RWContext *rw,
 | |
|                                      JPEGRawQuantisationTable *current)
 | |
| {
 | |
|     int err, i;
 | |
| 
 | |
|     u(4, Pq, 0, 1);
 | |
|     u(4, Tq, 0, 3);
 | |
| 
 | |
|     if (current->Pq) {
 | |
|         for (i = 0; i < 64; i++)
 | |
|             us(16, Q[i], i, 1, 255);
 | |
|     } else {
 | |
|         for (i = 0; i < 64; i++)
 | |
|             us(8,  Q[i], i, 1, 255);
 | |
|     }
 | |
| 
 | |
|     return 0;
 | |
| }
 | |
| 
 | |
| static int FUNC(dqt)(CodedBitstreamContext *ctx, RWContext *rw,
 | |
|                      JPEGRawQuantisationTableSpecification *current)
 | |
| {
 | |
|     int err, i, n;
 | |
| 
 | |
|     HEADER("Quantisation Tables");
 | |
| 
 | |
|     u(16, Lq, 2, 2 + 4 * 65);
 | |
|     n = current->Lq / 65;
 | |
| 
 | |
|     for (i = 0; i < n; i++)
 | |
|         CHECK(FUNC(quantisation_table)(ctx, rw, ¤t->table[i]));
 | |
| 
 | |
|     return 0;
 | |
| }
 | |
| 
 | |
| static int FUNC(huffman_table)(CodedBitstreamContext *ctx, RWContext *rw,
 | |
|                                JPEGRawHuffmanTable *current)
 | |
| {
 | |
|     int err, i, j, ij;
 | |
| 
 | |
|     u(4, Tc, 0, 1);
 | |
|     u(4, Th, 0, 3);
 | |
| 
 | |
|     for (i = 0; i < 16; i++)
 | |
|         us(8, L[i], i, 0, 224);
 | |
| 
 | |
|     ij = 0;
 | |
|     for (i = 0; i < 16; i++) {
 | |
|         for (j = 0; j < current->L[i]; j++) {
 | |
|             if (ij >= 224)
 | |
|                 return AVERROR_INVALIDDATA;
 | |
|             us(8, V[ij], ij, 0, 255);
 | |
|             ++ij;
 | |
|         }
 | |
|     }
 | |
| 
 | |
|     return 0;
 | |
| }
 | |
| 
 | |
| static int FUNC(dht)(CodedBitstreamContext *ctx, RWContext *rw,
 | |
|                      JPEGRawHuffmanTableSpecification *current)
 | |
| {
 | |
|     int err, i, j, n;
 | |
| 
 | |
|     HEADER("Huffman Tables");
 | |
| 
 | |
|     u(16, Lh, 2, 2 + 8 * (1 + 16 + 256));
 | |
| 
 | |
|     n = 2;
 | |
|     for (i = 0; n < current->Lh; i++) {
 | |
|         if (i >= 8)
 | |
|             return AVERROR_INVALIDDATA;
 | |
| 
 | |
|         CHECK(FUNC(huffman_table)(ctx, rw, ¤t->table[i]));
 | |
| 
 | |
|         ++n;
 | |
|         for (j = 0; j < 16; j++)
 | |
|             n += 1 + current->table[i].L[j];
 | |
|     }
 | |
| 
 | |
|     return 0;
 | |
| }
 | |
| 
 | |
| static int FUNC(scan_header)(CodedBitstreamContext *ctx, RWContext *rw,
 | |
|                              JPEGRawScanHeader *current)
 | |
| {
 | |
|     int err, j;
 | |
| 
 | |
|     HEADER("Scan");
 | |
| 
 | |
|     u(16, Ls, 6, 6 + 2 * JPEG_MAX_COMPONENTS);
 | |
| 
 | |
|     u(8, Ns, 1, 4);
 | |
|     for (j = 0; j < current->Ns; j++) {
 | |
|         us(8, Cs[j], j, 0, JPEG_MAX_COMPONENTS);
 | |
|         us(4, Td[j], j, 0, 3);
 | |
|         us(4, Ta[j], j, 0, 3);
 | |
|     }
 | |
| 
 | |
|     u(8, Ss, 0, 63);
 | |
|     u(8, Se, 0, 63);
 | |
|     u(4, Ah, 0, 13);
 | |
|     u(4, Al, 0, 15);
 | |
| 
 | |
|     return 0;
 | |
| }
 | |
| 
 | |
| static int FUNC(application_data)(CodedBitstreamContext *ctx, RWContext *rw,
 | |
|                                   JPEGRawApplicationData *current)
 | |
| {
 | |
|     int err, i;
 | |
| 
 | |
|     HEADER("Application Data");
 | |
| 
 | |
|     u(16, Lp, 2, 65535);
 | |
| 
 | |
|     if (current->Lp > 2) {
 | |
| #ifdef READ
 | |
|         current->Ap_ref = av_buffer_alloc(current->Lp - 2);
 | |
|         if (!current->Ap_ref)
 | |
|             return AVERROR(ENOMEM);
 | |
|         current->Ap = current->Ap_ref->data;
 | |
| #endif
 | |
| 
 | |
|         for (i = 0; i < current->Lp - 2; i++)
 | |
|             us(8, Ap[i], i, 0, 255);
 | |
|     }
 | |
| 
 | |
|     return 0;
 | |
| }
 | |
| 
 | |
| static int FUNC(comment)(CodedBitstreamContext *ctx, RWContext *rw,
 | |
|                          JPEGRawComment *current)
 | |
| {
 | |
|     int err, i;
 | |
| 
 | |
|     HEADER("Comment");
 | |
| 
 | |
|     u(16, Lc, 2, 65535);
 | |
| 
 | |
|     if (current->Lc > 2) {
 | |
| #ifdef READ
 | |
|         current->Cm_ref = av_buffer_alloc(current->Lc - 2);
 | |
|         if (!current->Cm_ref)
 | |
|             return AVERROR(ENOMEM);
 | |
|         current->Cm = current->Cm_ref->data;
 | |
| #endif
 | |
| 
 | |
|         for (i = 0; i < current->Lc - 2; i++)
 | |
|             us(8, Cm[i], i, 0, 255);
 | |
|     }
 | |
| 
 | |
|     return 0;
 | |
| }
 |