avcodec/jpeg2000htdec: Check magp before using it in a shift

Fixes: shift exponent -1 is negative
Fixes: 65378/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_JPEG2000_fuzzer-5457678193197056

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 19ad05e9e0)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
release/7.0
Michael Niedermayer 10 months ago
parent 7570390be6
commit cc9d291fb0
No known key found for this signature in database
GPG Key ID: B18E8928B3948D64
  1. 16
      libavcodec/jpeg2000dec.c

@ -1885,7 +1885,7 @@ static inline void roi_scale_cblk(Jpeg2000Cblk *cblk,
}
}
static inline void tile_codeblocks(const Jpeg2000DecoderContext *s, Jpeg2000Tile *tile)
static inline int tile_codeblocks(const Jpeg2000DecoderContext *s, Jpeg2000Tile *tile)
{
Jpeg2000T1Context t1;
@ -1910,6 +1910,8 @@ static inline void tile_codeblocks(const Jpeg2000DecoderContext *s, Jpeg2000Tile
int nb_precincts, precno;
Jpeg2000Band *band = rlevel->band + bandno;
int cblkno = 0, bandpos;
/* See Rec. ITU-T T.800, Equation E-2 */
int magp = quantsty->expn[subbandno] + quantsty->nguardbits - 1;
bandpos = bandno + (reslevelno > 0);
@ -1917,6 +1919,11 @@ static inline void tile_codeblocks(const Jpeg2000DecoderContext *s, Jpeg2000Tile
band->coord[1][0] == band->coord[1][1])
continue;
if ((codsty->cblk_style & JPEG2000_CTSY_HTJ2K_F) && magp >= 31) {
avpriv_request_sample(s->avctx, "JPEG2000_CTSY_HTJ2K_F and magp >= 31");
return AVERROR_PATCHWELCOME;
}
nb_precincts = rlevel->num_precincts_x * rlevel->num_precincts_y;
/* Loop on precincts */
for (precno = 0; precno < nb_precincts; precno++) {
@ -1927,8 +1934,6 @@ static inline void tile_codeblocks(const Jpeg2000DecoderContext *s, Jpeg2000Tile
cblkno < prec->nb_codeblocks_width * prec->nb_codeblocks_height;
cblkno++) {
int x, y, ret;
/* See Rec. ITU-T T.800, Equation E-2 */
int magp = quantsty->expn[subbandno] + quantsty->nguardbits - 1;
Jpeg2000Cblk *cblk = prec->cblk + cblkno;
@ -1968,6 +1973,7 @@ static inline void tile_codeblocks(const Jpeg2000DecoderContext *s, Jpeg2000Tile
ff_dwt_decode(&comp->dwt, codsty->transform == FF_DWT97 ? (void*)comp->f_data : (void*)comp->i_data);
} /*end comp */
return 0;
}
#define WRITE_FRAME(D, PIXEL) \
@ -2044,7 +2050,9 @@ static int jpeg2000_decode_tile(AVCodecContext *avctx, void *td,
AVFrame *picture = td;
Jpeg2000Tile *tile = s->tile + jobnr;
tile_codeblocks(s, tile);
int ret = tile_codeblocks(s, tile);
if (ret < 0)
return ret;
/* inverse MCT transformation */
if (tile->codsty[0].mct)

Loading…
Cancel
Save