Commit 361e0310 authored by Michael Niedermayer's avatar Michael Niedermayer

avcodec/mlpdec: Check quant_step_size against huff_lsbs

This reorders the operations so as to avoid computations with the above arguments
before they have been initialized.
Fixes part of 1708/clusterfuzz-testcase-minimized-5035111957397504

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpegSigned-off-by: 's avatarMichael Niedermayer <michael@niedermayer.cc>
parent 53e0d5d7
......@@ -829,8 +829,6 @@ static int read_channel_params(MLPDecodeContext *m, unsigned int substr,
return AVERROR_INVALIDDATA;
}
cp->sign_huff_offset = calculate_sign_huff(m, substr, ch);
return 0;
}
......@@ -842,7 +840,8 @@ static int read_decoding_params(MLPDecodeContext *m, GetBitContext *gbp,
{
SubStream *s = &m->substream[substr];
unsigned int ch;
int ret;
int ret = 0;
unsigned recompute_sho = 0;
if (s->param_presence_flags & PARAM_PRESENCE)
if (get_bits1(gbp))
......@@ -882,19 +881,36 @@ static int read_decoding_params(MLPDecodeContext *m, GetBitContext *gbp,
if (s->param_presence_flags & PARAM_QUANTSTEP)
if (get_bits1(gbp))
for (ch = 0; ch <= s->max_channel; ch++) {
ChannelParams *cp = &s->channel_params[ch];
s->quant_step_size[ch] = get_bits(gbp, 4);
cp->sign_huff_offset = calculate_sign_huff(m, substr, ch);
recompute_sho |= 1<<ch;
}
for (ch = s->min_channel; ch <= s->max_channel; ch++)
if (get_bits1(gbp))
if (get_bits1(gbp)) {
recompute_sho |= 1<<ch;
if ((ret = read_channel_params(m, substr, gbp, ch)) < 0)
return ret;
goto fail;
}
return 0;
fail:
for (ch = 0; ch <= s->max_channel; ch++) {
if (recompute_sho & (1<<ch)) {
ChannelParams *cp = &s->channel_params[ch];
if (cp->codebook > 0 && cp->huff_lsbs < s->quant_step_size[ch]) {
if (ret >= 0) {
av_log(m->avctx, AV_LOG_ERROR, "quant_step_size larger than huff_lsbs\n");
ret = AVERROR_INVALIDDATA;
}
s->quant_step_size[ch] = 0;
}
cp->sign_huff_offset = calculate_sign_huff(m, substr, ch);
}
}
return ret;
}
#define MSB_MASK(bits) (-1u << (bits))
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment