highperfocused/ffmpeg
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

avcodec/cfhd: Move peak_table() and difference_coding() calls after the existing coefficient count check

Browse Source 
Fixes: out of array access
Fixes: 9509/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CFHD_fuzzer-5283250636324864
Fixes: 9572/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CFHD_fuzzer-4920757409808384
Fixes: 9596/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CFHD_fuzzer-5114917580439552
Fixes: 9640/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CFHD_fuzzer-6247840698335232
Fixes: 9659/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_CFHD_fuzzer-6079554987753472

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
Michael Niedermayer
2018-08-13 00:44:48 +02:00
parent dbac849c4d
commit 2c1613ac94
1 changed files with 4 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
libavcodec/cfhd.c
View File

@ -668,11 +668,6 @@ static int cfhd_decode(AVCodecContext *avctx, void *data, int *got_frame,
for (i = 0; i < run; i++) for (i = 0; i < run; i++)
*coeff_data++ = coeff; *coeff_data++ = coeff;
} }
if (s->peak.level)
peak_table(coeff_data - expected, &s->peak, expected);
if (s->difference_coding)
difference_coding(s->plane[s->channel_num].subband[s->subband_num_actual], highpass_width, highpass_height);
} else { } else {
while (1) { while (1) {
UPDATE_CACHE(re, &s->gb); UPDATE_CACHE(re, &s->gb);
@ -692,11 +687,6 @@ static int cfhd_decode(AVCodecContext *avctx, void *data, int *got_frame,
for (i = 0; i < run; i++) for (i = 0; i < run; i++)
*coeff_data++ = coeff; *coeff_data++ = coeff;
} }
if (s->peak.level)
peak_table(coeff_data - expected, &s->peak, expected);
if (s->difference_coding)
difference_coding(s->plane[s->channel_num].subband[s->subband_num_actual], highpass_width, highpass_height);
} }
CLOSE_READER(re, &s->gb); CLOSE_READER(re, &s->gb);
} }
@ -706,6 +696,10 @@ static int cfhd_decode(AVCodecContext *avctx, void *data, int *got_frame,
ret = AVERROR(EINVAL); ret = AVERROR(EINVAL);
goto end; goto end;
} }
if (s->peak.level)
peak_table(coeff_data - expected, &s->peak, expected);
if (s->difference_coding)
difference_coding(s->plane[s->channel_num].subband[s->subband_num_actual], highpass_width, highpass_height);
bytes = FFALIGN(AV_CEIL_RSHIFT(get_bits_count(&s->gb), 3), 4); bytes = FFALIGN(AV_CEIL_RSHIFT(get_bits_count(&s->gb), 3), 4);
if (bytes > bytestream2_get_bytes_left(&gb)) { if (bytes > bytestream2_get_bytes_left(&gb)) {