On 10/3/23 11:00, Leo Izen wrote:
The spec caps the prefix alphabet size to 32768 (i.e. 1 << 15) so we should check for that and reject alphabets that are too large, in order to prevent over-allocating.Additionally, there's no need to allocate buffers that are as large as the maximum alphabet size as these aren't stack-allocated, they're heap allocated and thus can be variable size. Added an overflow check as well, which fixes leaking the buffer, and capping the alphabet size fixes two potential overruns as well. Fixes: out of array access Fixes: 62089/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer- 5437089094959104.fuzz Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Found-by: Hardik Shah of Vehere (Dawn Treaders team) Co-authored-by: Michael Niedermayer <mich...@niedermayer.cc> Signed-off-by: Leo Izen <leo.i...@gmail.com> --- libavcodec/jpegxl_parser.c | 23 +++++++++++++++++------ 1 file changed, 17 insertions(+), 6 deletions(-)
Will merge soon as it fixes a clusterfuzz case. - Leo Izen _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
