virtualenv/FFmpeg
1
0
Fork 0
mirror of https://github.com/FFmpeg/FFmpeg.git synced 2025-04-14 00:58:38 +02:00
Code Issues Releases Activity

avcodec/vorbisdec: Check get_vlc2() failure

Browse Source 
Fixes: out of array read
Fixes: 16510/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VORBIS_fuzzer-5754510382727168

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 07b948fe60789064d7c784d47b8fe798a9a4d2b9)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
Michael Niedermayer 2019-07-08 01:18:05 +02:00
parent faeeb2e1d7
commit 77b92f757a
1 changed files with 25 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
libavcodec/vorbisdec.c
View File

@ -1442,7 +1442,7 @@ static av_always_inline int vorbis_residue_decode_internal(vorbis_context *vc,
int vqbook = vr->books[vqclass][pass]; int vqbook = vr->books[vqclass][pass];
if (vqbook >= 0 && vc->codebooks[vqbook].codevectors) { if (vqbook >= 0 && vc->codebooks[vqbook].codevectors) {
unsigned coffs; int coffs;
unsigned dim = vc->codebooks[vqbook].dimensions; unsigned dim = vc->codebooks[vqbook].dimensions;
unsigned step = FASTDIV(vr->partition_size << 1, dim << 1); unsigned step = FASTDIV(vr->partition_size << 1, dim << 1);
vorbis_codebook codebook = vc->codebooks[vqbook]; vorbis_codebook codebook = vc->codebooks[vqbook];
@ -1451,14 +1451,20 @@ static av_always_inline int vorbis_residue_decode_internal(vorbis_context *vc,
voffs = voffset+j*vlen; voffs = voffset+j*vlen;
for (k = 0; k < step; ++k) { for (k = 0; k < step; ++k) {
coffs = get_vlc2(gb, codebook.vlc.table, codebook.nb_bits, 3) * dim; coffs = get_vlc2(gb, codebook.vlc.table, codebook.nb_bits, 3);
if (coffs < 0)
return coffs;
coffs *= dim;
for (l = 0; l < dim; ++l) for (l = 0; l < dim; ++l)
vec[voffs + k + l * step] += codebook.codevectors[coffs + l]; vec[voffs + k + l * step] += codebook.codevectors[coffs + l];
} }
} else if (vr_type == 1) { } else if (vr_type == 1) {
voffs = voffset + j * vlen; voffs = voffset + j * vlen;
for (k = 0; k < step; ++k) { for (k = 0; k < step; ++k) {
coffs = get_vlc2(gb, codebook.vlc.table, codebook.nb_bits, 3) * dim; coffs = get_vlc2(gb, codebook.vlc.table, codebook.nb_bits, 3);
if (coffs < 0)
return coffs;
coffs *= dim;
for (l = 0; l < dim; ++l, ++voffs) { for (l = 0; l < dim; ++l, ++voffs) {
vec[voffs]+=codebook.codevectors[coffs+l]; vec[voffs]+=codebook.codevectors[coffs+l];
@ -1471,13 +1477,19 @@ static av_always_inline int vorbis_residue_decode_internal(vorbis_context *vc,
if (dim == 2) { if (dim == 2) {
for (k = 0; k < step; ++k) { for (k = 0; k < step; ++k) {
coffs = get_vlc2(gb, codebook.vlc.table, codebook.nb_bits, 3) * 2; coffs = get_vlc2(gb, codebook.vlc.table, codebook.nb_bits, 3);
if (coffs < 0)
return coffs;
coffs *= 2;
vec[voffs + k ] += codebook.codevectors[coffs ]; vec[voffs + k ] += codebook.codevectors[coffs ];
vec[voffs + k + vlen] += codebook.codevectors[coffs + 1]; vec[voffs + k + vlen] += codebook.codevectors[coffs + 1];
} }
} else if (dim == 4) { } else if (dim == 4) {
for (k = 0; k < step; ++k, voffs += 2) { for (k = 0; k < step; ++k, voffs += 2) {
coffs = get_vlc2(gb, codebook.vlc.table, codebook.nb_bits, 3) * 4; coffs = get_vlc2(gb, codebook.vlc.table, codebook.nb_bits, 3);
if (coffs < 0)
return coffs;
coffs *= 4;
vec[voffs ] += codebook.codevectors[coffs ]; vec[voffs ] += codebook.codevectors[coffs ];
vec[voffs + 1 ] += codebook.codevectors[coffs + 2]; vec[voffs + 1 ] += codebook.codevectors[coffs + 2];
vec[voffs + vlen ] += codebook.codevectors[coffs + 1]; vec[voffs + vlen ] += codebook.codevectors[coffs + 1];
@ -1485,7 +1497,10 @@ static av_always_inline int vorbis_residue_decode_internal(vorbis_context *vc,
} }
} else } else
for (k = 0; k < step; ++k) { for (k = 0; k < step; ++k) {
coffs = get_vlc2(gb, codebook.vlc.table, codebook.nb_bits, 3) * dim; coffs = get_vlc2(gb, codebook.vlc.table, codebook.nb_bits, 3);
if (coffs < 0)
return coffs;
coffs *= dim;
for (l = 0; l < dim; l += 2, voffs++) { for (l = 0; l < dim; l += 2, voffs++) {
vec[voffs ] += codebook.codevectors[coffs + l ]; vec[voffs ] += codebook.codevectors[coffs + l ];
vec[voffs + vlen] += codebook.codevectors[coffs + l + 1]; vec[voffs + vlen] += codebook.codevectors[coffs + l + 1];
@ -1502,7 +1517,10 @@ static av_always_inline int vorbis_residue_decode_internal(vorbis_context *vc,
unsigned voffs_mod = voffset - voffs_div * ch; unsigned voffs_mod = voffset - voffs_div * ch;
for (k = 0; k < step; ++k) { for (k = 0; k < step; ++k) {
coffs = get_vlc2(gb, codebook.vlc.table, codebook.nb_bits, 3) * dim; coffs = get_vlc2(gb, codebook.vlc.table, codebook.nb_bits, 3);
if (coffs < 0)
return coffs;
coffs *= dim;
for (l = 0; l < dim; ++l) { for (l = 0; l < dim; ++l) {
vec[voffs_div + voffs_mod * vlen] += vec[voffs_div + voffs_mod * vlen] +=
codebook.codevectors[coffs + l]; codebook.codevectors[coffs + l];