From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by master.gitmailbox.com (Postfix) with ESMTP id 78EE541337 for ; Sat, 23 Dec 2023 02:57:47 +0000 (UTC) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id A398868D240; Sat, 23 Dec 2023 04:57:43 +0200 (EET) Received: from mail-qv1-f44.google.com (mail-qv1-f44.google.com [209.85.219.44]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 32C6068D18D for ; Sat, 23 Dec 2023 04:57:37 +0200 (EET) Received: by mail-qv1-f44.google.com with SMTP id 6a1803df08f44-67f564b4245so5435666d6.1 for ; Fri, 22 Dec 2023 18:57:37 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1703300255; x=1703905055; darn=ffmpeg.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=Q/wNnKHMuN9GsuGjaUgCurwvk6tyWYHmDjZR7rbR5GI=; b=nmxt4KjLr1V9Bel7J7nx10MJdMaczXKlmJD4DhwYN9cSaeXljc9Q428PEYu4Xfg+bE C+WyJ8DtqB3fCnmhVw/rYeGf3vF2Sm4sWtF6ybE93qSIr6o2aWgmU9gXJyr4ZjRzmxmE PmzURAa9HWxE/eirmJyb7b5qUQyhJZpoTlypBWz+fxZgJEmJzoyzhHUpzuq4TXFLosPe YvL2GDNNvgghqrXgAVvl1nFwqezGEWKb1DCsCXsPoWqosNZw46zt7p7I5pPUE3R4xbWO VppEQ3lySxJEteC4JMbtjRXcVYlZJhZ6Is4fbPjG4fb9RgrQZNbenUjt7SLEaYvXQF2J dFng== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1703300255; x=1703905055; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=Q/wNnKHMuN9GsuGjaUgCurwvk6tyWYHmDjZR7rbR5GI=; b=J+Fv++H8spWo4YlfCH5Ip0vmwYtp8Qn/v6m4K2zr4fh4VjBngyo1c9DvGIaKAkONNc OxwOzCebfc9GapRafytp58Mzi2XYlG52GahCuJTpCMhmVj7CPFoWZN7AsDhvhqQIxK+l mVzMFQIqcgVG3Ob7lRR4jZ0tqQ2cxuG556V5vVE/Yub6RDN4vjuIXzlBaInyttizMJxU v/QT+lorvA+3jDua69nPcalwEgD40zNkuEFu0vlBV/365XZlC2fcZ5DFeNNmMRqlOkNz RAa59JcXqkCX8khgHsGKvbdVB8Rct1hJNc4Gd3VRdBm/Oz3LX4gLOjzrOD5zfKd/2+Hb Hokg== X-Gm-Message-State: AOJu0Yxc8ICx8vk/7QP1zNKyh2hZA6Ed8oyGSLgNrxOpnTeB5MeFxkbH O1QKkfpudBH3u1oT3zcAb28fZ3po8C4= X-Google-Smtp-Source: AGHT+IFMrCk3XZZXOBTdOjx7mWGbWFpLJHxb07v+y/82wF8cjVG4FPAZykXUSS7Q41Z0VGquWHD7AQ== X-Received: by 2002:a05:6214:c64:b0:67e:f9a7:6bf2 with SMTP id t4-20020a0562140c6400b0067ef9a76bf2mr4658922qvj.3.1703300255425; Fri, 22 Dec 2023 18:57:35 -0800 (PST) Received: from gauss.local (c-68-56-149-176.hsd1.mi.comcast.net. [68.56.149.176]) by smtp.gmail.com with ESMTPSA id o3-20020a056214180300b0067a10672b80sm1796883qvw.48.2023.12.22.18.57.34 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 22 Dec 2023 18:57:35 -0800 (PST) From: Leo Izen To: ffmpeg-devel@ffmpeg.org Date: Fri, 22 Dec 2023 21:57:33 -0500 Message-ID: <20231223025733.85366-1-leo.izen@gmail.com> X-Mailer: git-send-email 2.43.0 MIME-Version: 1.0 Subject: [FFmpeg-devel] [PATCH] avcodec/jpegxl_parser: check ANS cluster alphabet size vs bundle size X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Cc: Michael Niedermayer , Leo Izen Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Archived-At: List-Archive: List-Post: The specification doesn't mention that clusters cannot have alphabet sizes greater than 1 << bundle->log_alphabet_size, but the reference implementation rejects these entropy streams as invalid, so we should too. Refusing to do so can overflow a stack variable on line 556 that should be large enough otherwise. Fixes #10738. Reported-by: Michael Niedermayer Signed-off-by: Leo Izen --- libavcodec/jpegxl_parser.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libavcodec/jpegxl_parser.c b/libavcodec/jpegxl_parser.c index 006eb6b295..c9832e4393 100644 --- a/libavcodec/jpegxl_parser.c +++ b/libavcodec/jpegxl_parser.c @@ -388,7 +388,6 @@ static int populate_distribution(GetBitContext *gb, JXLSymbolDistribution *dist, if (get_bits1(gb)) { /* simple code */ - dist->alphabet_size = 256; if (get_bits1(gb)) { uint8_t v1 = jxl_u8(gb); uint8_t v2 = jxl_u8(gb); @@ -398,10 +397,12 @@ static int populate_distribution(GetBitContext *gb, JXLSymbolDistribution *dist, dist->freq[v2] = (1 << 12) - dist->freq[v1]; if (!dist->freq[v1]) dist->uniq_pos = v2; + dist->alphabet_size = 1 + FFMAX(v1, v2); } else { uint8_t x = jxl_u8(gb); dist->freq[x] = 1 << 12; dist->uniq_pos = x; + dist->alphabet_size= 1 + x; } return 0; } @@ -880,6 +881,8 @@ static int read_distribution_bundle(GetBitContext *gb, JXLEntropyDecoder *dec, ret = populate_distribution(gb, &bundle->dists[i], bundle->log_alphabet_size); if (ret < 0) return ret; + if (bundle->dists[i].alphabet_size > (1 << bundle->log_alphabet_size)) + return AVERROR_INVALIDDATA; if (get_bits_left(gb) < 0) return AVERROR_BUFFER_TOO_SMALL; } -- 2.43.0 _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".