[FFmpeg-cvslog] avcodec/mlpdec: Check quant_step_size against huff_lsbs
Michael Niedermayer
git at videolan.org
Sun Jun 4 01:23:56 EEST 2017
ffmpeg | branch: master | Michael Niedermayer <michael at niedermayer.cc> | Sat May 20 23:01:04 2017 +0200| [361e0310d95bf2a0377f168518d1135ae15ca3f8] | committer: Michael Niedermayer
avcodec/mlpdec: Check quant_step_size against huff_lsbs
This reorders the operations so as to avoid computations with the above arguments
before they have been initialized.
Fixes part of 1708/clusterfuzz-testcase-minimized-5035111957397504
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=361e0310d95bf2a0377f168518d1135ae15ca3f8
---
libavcodec/mlpdec.c | 34 +++++++++++++++++++++++++---------
1 file changed, 25 insertions(+), 9 deletions(-)
diff --git a/libavcodec/mlpdec.c b/libavcodec/mlpdec.c
index 0b0f83658e..d5585d3080 100644
--- a/libavcodec/mlpdec.c
+++ b/libavcodec/mlpdec.c
@@ -829,8 +829,6 @@ static int read_channel_params(MLPDecodeContext *m, unsigned int substr,
return AVERROR_INVALIDDATA;
}
- cp->sign_huff_offset = calculate_sign_huff(m, substr, ch);
-
return 0;
}
@@ -842,7 +840,8 @@ static int read_decoding_params(MLPDecodeContext *m, GetBitContext *gbp,
{
SubStream *s = &m->substream[substr];
unsigned int ch;
- int ret;
+ int ret = 0;
+ unsigned recompute_sho = 0;
if (s->param_presence_flags & PARAM_PRESENCE)
if (get_bits1(gbp))
@@ -882,19 +881,36 @@ static int read_decoding_params(MLPDecodeContext *m, GetBitContext *gbp,
if (s->param_presence_flags & PARAM_QUANTSTEP)
if (get_bits1(gbp))
for (ch = 0; ch <= s->max_channel; ch++) {
- ChannelParams *cp = &s->channel_params[ch];
-
s->quant_step_size[ch] = get_bits(gbp, 4);
- cp->sign_huff_offset = calculate_sign_huff(m, substr, ch);
+ recompute_sho |= 1<<ch;
}
for (ch = s->min_channel; ch <= s->max_channel; ch++)
- if (get_bits1(gbp))
+ if (get_bits1(gbp)) {
+ recompute_sho |= 1<<ch;
if ((ret = read_channel_params(m, substr, gbp, ch)) < 0)
- return ret;
+ goto fail;
+ }
- return 0;
+
+fail:
+ for (ch = 0; ch <= s->max_channel; ch++) {
+ if (recompute_sho & (1<<ch)) {
+ ChannelParams *cp = &s->channel_params[ch];
+
+ if (cp->codebook > 0 && cp->huff_lsbs < s->quant_step_size[ch]) {
+ if (ret >= 0) {
+ av_log(m->avctx, AV_LOG_ERROR, "quant_step_size larger than huff_lsbs\n");
+ ret = AVERROR_INVALIDDATA;
+ }
+ s->quant_step_size[ch] = 0;
+ }
+
+ cp->sign_huff_offset = calculate_sign_huff(m, substr, ch);
+ }
+ }
+ return ret;
}
#define MSB_MASK(bits) (-1u << (bits))
More information about the ffmpeg-cvslog
mailing list