PR #23348 opened by michaelni URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/23348 Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/23348.patch
Fixes: Timeout Fixes: 509211998/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_THP_fuzzer-5098892286033920 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <[email protected]> >From ed8468b03430b940916bd3ae46a1895af3959f23 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer <[email protected]> Date: Thu, 4 Jun 2026 01:47:14 +0200 Subject: [PATCH] avcodec/jpeglsdec: bound cumulative decoded height per SOF Fixes: Timeout Fixes: 509211998/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_THP_fuzzer-5098892286033920 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <[email protected]> --- libavcodec/jpeglsdec.c | 5 +++++ libavcodec/mjpegdec.c | 1 + libavcodec/mjpegdec.h | 1 + 3 files changed, 7 insertions(+) diff --git a/libavcodec/jpeglsdec.c b/libavcodec/jpeglsdec.c index 3a48334ae1..d04367fb6a 100644 --- a/libavcodec/jpeglsdec.c +++ b/libavcodec/jpeglsdec.c @@ -365,6 +365,9 @@ int ff_jpegls_decode_picture(MJpegDecodeContext *s) int off = 0, stride = 1, width, shift, ret = 0; int decoded_height = 0; + if (s->total_ls_decoded_height > s->height * 8LL) + return AVERROR_INVALIDDATA; + if (!state) { state = av_malloc(sizeof(*state)); if (!state) @@ -493,6 +496,8 @@ int ff_jpegls_decode_picture(MJpegDecodeContext *s) goto end; } + s->total_ls_decoded_height += decoded_height; + if (s->xfrm && s->nb_components == 3) { int x, w; diff --git a/libavcodec/mjpegdec.c b/libavcodec/mjpegdec.c index e6c4f4acfc..4ac9b69a98 100644 --- a/libavcodec/mjpegdec.c +++ b/libavcodec/mjpegdec.c @@ -314,6 +314,7 @@ int ff_mjpeg_decode_sof(MJpegDecodeContext *s) int v_count[MAX_COMPONENTS] = { 0 }; s->cur_scan = 0; + s->total_ls_decoded_height = 0; memset(s->upscale_h, 0, sizeof(s->upscale_h)); memset(s->upscale_v, 0, sizeof(s->upscale_v)); diff --git a/libavcodec/mjpegdec.h b/libavcodec/mjpegdec.h index 19ff4436e3..2780041f61 100644 --- a/libavcodec/mjpegdec.h +++ b/libavcodec/mjpegdec.h @@ -139,6 +139,7 @@ typedef struct MJpegDecodeContext { int mjpb_skiptosod; int cur_scan; /* current scan, used by JPEG-LS */ + int64_t total_ls_decoded_height; /* cumulative JPEG-LS rows decoded since the last SOF */ int flipped; /* true if picture is flipped */ uint16_t (*ljpeg_buffer)[4]; -- 2.52.0 _______________________________________________ ffmpeg-devel mailing list -- [email protected] To unsubscribe send an email to [email protected]
