avcodec/mlpdec: Check quant_step_size against huff_lsbs

This reorders the operations so as to avoid computations with the above arguments before they have been initialized. Fixes part of 1708/clusterfuzz-testcase-minimized-5035111957397504 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2024-12-23 12:43:46 +02:00 · 2017-05-20 23:01:04 +02:00 · 2017-05-20 23:01:04 +02:00 · 361e0310d9
commit 361e0310d9
parent 53e0d5d724
1 changed files with 25 additions and 9 deletions
--- a/libavcodec/mlpdec.c
+++ b/libavcodec/mlpdec.c
@ -829,8 +829,6 @@ static int read_channel_params(MLPDecodeContext *m, unsigned int substr,
        return AVERROR_INVALIDDATA;
    }

-    cp->sign_huff_offset = calculate_sign_huff(m, substr, ch);
-
    return 0;
 }

@ -842,7 +840,8 @@ static int read_decoding_params(MLPDecodeContext *m, GetBitContext *gbp,
 {
    SubStream *s = &m->substream[substr];
    unsigned int ch;
-    int ret;
+    int ret = 0;
+    unsigned recompute_sho = 0;

    if (s->param_presence_flags & PARAM_PRESENCE)
        if (get_bits1(gbp))
@ -882,19 +881,36 @@ static int read_decoding_params(MLPDecodeContext *m, GetBitContext *gbp,
    if (s->param_presence_flags & PARAM_QUANTSTEP)
        if (get_bits1(gbp))
            for (ch = 0; ch <= s->max_channel; ch++) {
-                ChannelParams *cp = &s->channel_params[ch];
-
                s->quant_step_size[ch] = get_bits(gbp, 4);

-                cp->sign_huff_offset = calculate_sign_huff(m, substr, ch);
+                recompute_sho |= 1<<ch;
            }

    for (ch = s->min_channel; ch <= s->max_channel; ch++)
-        if (get_bits1(gbp))
+        if (get_bits1(gbp)) {
+            recompute_sho |= 1<<ch;
            if ((ret = read_channel_params(m, substr, gbp, ch)) < 0)
-                return ret;
+                goto fail;
+        }

-    return 0;
+
+fail:
+    for (ch = 0; ch <= s->max_channel; ch++) {
+        if (recompute_sho & (1<<ch)) {
+            ChannelParams *cp = &s->channel_params[ch];
+
+            if (cp->codebook > 0 && cp->huff_lsbs < s->quant_step_size[ch]) {
+                if (ret >= 0) {
+                    av_log(m->avctx, AV_LOG_ERROR, "quant_step_size larger than huff_lsbs\n");
+                    ret = AVERROR_INVALIDDATA;
+                }
+                s->quant_step_size[ch] = 0;
+            }
+
+            cp->sign_huff_offset = calculate_sign_huff(m, substr, ch);
+        }
+    }
+    return ret;
 }

 #define MSB_MASK(bits)  (-1u << (bits))