Commit ac8dfcbd authored by Michael Niedermayer's avatar Michael Niedermayer

avcodec/mlpdec: Do not leave invalid values in matrix_out_ch[] on error

Fixes: runtime error: index 12 out of bounds for type 'uint8_t [8]'
Fixes: 1832/clusterfuzz-testcase-minimized-6574546079449088

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpegSigned-off-by: 's avatarMichael Niedermayer <michael@niedermayer.cc>
parent 53c0c637
...@@ -729,8 +729,7 @@ static int read_matrix_params(MLPDecodeContext *m, unsigned int substr, GetBitCo ...@@ -729,8 +729,7 @@ static int read_matrix_params(MLPDecodeContext *m, unsigned int substr, GetBitCo
av_log(m->avctx, AV_LOG_ERROR, av_log(m->avctx, AV_LOG_ERROR,
"Number of primitive matrices cannot be greater than %d.\n", "Number of primitive matrices cannot be greater than %d.\n",
max_primitive_matrices); max_primitive_matrices);
s->num_primitive_matrices = 0; goto error;
return AVERROR_INVALIDDATA;
} }
for (mat = 0; mat < s->num_primitive_matrices; mat++) { for (mat = 0; mat < s->num_primitive_matrices; mat++) {
...@@ -743,12 +742,12 @@ static int read_matrix_params(MLPDecodeContext *m, unsigned int substr, GetBitCo ...@@ -743,12 +742,12 @@ static int read_matrix_params(MLPDecodeContext *m, unsigned int substr, GetBitCo
av_log(m->avctx, AV_LOG_ERROR, av_log(m->avctx, AV_LOG_ERROR,
"Invalid channel %d specified as output from matrix.\n", "Invalid channel %d specified as output from matrix.\n",
s->matrix_out_ch[mat]); s->matrix_out_ch[mat]);
return AVERROR_INVALIDDATA; goto error;
} }
if (frac_bits > 14) { if (frac_bits > 14) {
av_log(m->avctx, AV_LOG_ERROR, av_log(m->avctx, AV_LOG_ERROR,
"Too many fractional bits specified.\n"); "Too many fractional bits specified.\n");
return AVERROR_INVALIDDATA; goto error;
} }
max_chan = s->max_matrix_channel; max_chan = s->max_matrix_channel;
...@@ -770,6 +769,11 @@ static int read_matrix_params(MLPDecodeContext *m, unsigned int substr, GetBitCo ...@@ -770,6 +769,11 @@ static int read_matrix_params(MLPDecodeContext *m, unsigned int substr, GetBitCo
} }
return 0; return 0;
error:
s->num_primitive_matrices = 0;
memset(s->matrix_out_ch, 0, sizeof(s->matrix_out_ch));
return AVERROR_INVALIDDATA;
} }
/** Read channel parameters. */ /** Read channel parameters. */
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment