]> git.sesse.net Git - ffmpeg/commitdiff
avcodec/jpeg2000dec: Check remaining data in packed_headers_stream before use
authorMichael Niedermayer <michael@niedermayer.cc>
Sat, 1 Aug 2020 23:15:34 +0000 (01:15 +0200)
committerMichael Niedermayer <michael@niedermayer.cc>
Mon, 10 Aug 2020 12:54:32 +0000 (14:54 +0200)
Fixes: out of array read
Fixes: 24487/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEG2000_fuzzer-5165847820369920
Fixes: 24636/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEG2000_fuzzer-5700973918683136
Fixes: 24683/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEG2000_fuzzer-6202883897556992
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
libavcodec/jpeg2000dec.c

index a4c20f45c56eb479b74cf5eef1b21286e91aa404..624542c2f87372d161e359ff90a07b3276b9a8ad 100644 (file)
@@ -2184,7 +2184,9 @@ static int jpeg2000_read_main_headers(Jpeg2000DecoderContext *s)
             }
 
             if (s->has_ppm) {
-                uint32_t tp_header_size = bytestream2_get_be32u(&s->packed_headers_stream);
+                uint32_t tp_header_size = bytestream2_get_be32(&s->packed_headers_stream);
+                if (bytestream2_get_bytes_left(&s->packed_headers_stream) < tp_header_size)
+                    return AVERROR_INVALIDDATA;
                 bytestream2_init(&tp->header_tpg, s->packed_headers_stream.buffer, tp_header_size);
                 bytestream2_skip(&s->packed_headers_stream, tp_header_size);
             }