avcodec/jpegxl_parser: fix reading lz77-pair as initial entropy symbol

The JPEG XL parser has an entropy decoder inside, which supports LZ77 length-distance pairs. If the first symbol from the entropy stream is an LZ77 pair, the bitstream is invalid, so we should abort immediately rather than attempt to read it anyway (which would read from the uninitialized starting window). Reported-by: Kacper Michajłow <kasper93@gmail.com> Found-by: ossfuzz Fixes: 368725676/clusterfuzz-testcase-minimized-fuzzer_protocol_file-6022251122589696-cut Fixes: 42537758/clusterfuzz-testcase-minimized-fuzzer_protocol_file-5818969469026304-cut Signed-off-by: Leo Izen <leo.izen@gmail.com>
2 months ago · b45da36a29
parent d0852a36cf
commit b45da36a29
1 changed files with 3 additions and 0 deletions
--- a/libavcodec/jpegxl_parser.c
+++ b/libavcodec/jpegxl_parser.c
@ -352,6 +352,8 @@ static int decode_hybrid_varlen_uint(GetBitContext *gb, JXLEntropyDecoder *dec,

    if (bundle->lz77_enabled && token >= bundle->lz77_min_symbol) {
        const JXLSymbolDistribution *lz77dist = &bundle->dists[bundle->cluster_map[bundle->num_dist - 1]];
+        if (!dec->num_decoded)
+            return AVERROR_INVALIDDATA;
        ret = read_hybrid_uint(gb, &bundle->lz_len_conf, token - bundle->lz77_min_symbol, &dec->num_to_copy);
        if (ret < 0)
            return ret;
@ -531,6 +533,7 @@ static int read_dist_clustering(GetBitContext *gb, JXLEntropyDecoder *dec, JXLDi
        dec->state = -1;
        /* it's not going to necessarily be zero after reading */
        dec->num_to_copy = 0;
+        dec->num_decoded = 0;
        dist_bundle_close(&nested);
        if (use_mtf) {
            uint8_t mtf[256];