[FFmpeg-cvslog] avcodec/jpeg2000dec: Reduce the number of tile parts allocated

Michael Niedermayer git at videolan.org
Sun May 6 22:29:55 EEST 2018 

ffmpeg | branch: master | Michael Niedermayer <michael at niedermayer.cc> | Fri May  4 18:28:07 2018 +0200| [3543522d200f46a9a2782b95c83c031626fd7a04] | committer: Michael Niedermayer

avcodec/jpeg2000dec: Reduce the number of tile parts allocated

This is large enough for all jpeg2000 files i tested. If some need more then this
should be changed to dynamic allocation. Dynamic allocation would need to be done
carefully as these are many relatively small arrays so repeatly reallocating them
would not be good.
The decrease is a clean and simple solution assuming it works for all files.

Fixes: OOM
Fixes: 6534/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEG2000_fuzzer-4821490731057152

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=3543522d200f46a9a2782b95c83c031626fd7a04
---

 libavcodec/jpeg2000dec.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/libavcodec/jpeg2000dec.c b/libavcodec/jpeg2000dec.c
index 5414ce5655..6aa63a9771 100644
--- a/libavcodec/jpeg2000dec.c
+++ b/libavcodec/jpeg2000dec.c
@@ -82,7 +82,7 @@ typedef struct Jpeg2000Tile {
     Jpeg2000CodingStyle codsty[4];
     Jpeg2000QuantStyle  qntsty[4];
     Jpeg2000POC         poc;
-    Jpeg2000TilePart    tile_part[256];
+    Jpeg2000TilePart    tile_part[32];
     uint16_t tp_idx;                    // Tile-part index
     int coord[2][2];                    // border coordinates {{x0, x1}, {y0, y1}}
 } Jpeg2000Tile;
@@ -761,7 +761,10 @@ static int get_sot(Jpeg2000DecoderContext *s, int n)
         return AVERROR_INVALIDDATA;
     }
 
-    av_assert0(TPsot < FF_ARRAY_ELEMS(s->tile[Isot].tile_part));
+    if (TPsot >= FF_ARRAY_ELEMS(s->tile[Isot].tile_part)) {
+        avpriv_request_sample(s->avctx, "Too many tile parts");
+        return AVERROR_PATCHWELCOME;
+    }
 
     s->tile[Isot].tp_idx = TPsot;
     tp             = s->tile[Isot].tile_part + TPsot;

More information about the ffmpeg-cvslog mailing list