From ac9af7e9a5befa8a554bacbcc59ab2f11203d85e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sun, 16 Jun 2019 20:56:20 +0200 Subject: avcodec/atrac9dec: Check that the reused block has succeeded initilization Fixes: global-buffer-overflow Fixes: 15247/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_ATRAC9_fuzzer-5671602181636096 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavcodec/atrac9dec.c | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'libavcodec/atrac9dec.c') diff --git a/libavcodec/atrac9dec.c b/libavcodec/atrac9dec.c index 894c70c7fc..08fe483e39 100644 --- a/libavcodec/atrac9dec.c +++ b/libavcodec/atrac9dec.c @@ -71,6 +71,8 @@ typedef struct ATRAC9BlockData { int cpe_base_channel; int is_signs[30]; + int reuseable; + } ATRAC9BlockData; typedef struct ATRAC9Context { @@ -668,6 +670,7 @@ static int atrac9_decode_block(ATRAC9Context *s, GetBitContext *gb, if (!reuse_params) { int stereo_band, ext_band; const int min_band_count = s->samplerate_idx > 7 ? 1 : 3; + b->reuseable = 0; b->band_count = get_bits(gb, 4) + min_band_count; b->q_unit_cnt = at9_tab_band_q_unit_map[b->band_count]; @@ -699,6 +702,11 @@ static int atrac9_decode_block(ATRAC9Context *s, GetBitContext *gb, } b->band_ext_q_unit = at9_tab_band_q_unit_map[ext_band]; } + b->reuseable = 1; + } + if (!b->reuseable) { + av_log(s->avctx, AV_LOG_ERROR, "invalid block reused!\n"); + return AVERROR_INVALIDDATA; } /* Calculate bit alloc gradient */ -- cgit v1.2.3