From ac8dfcbd89a818b786d05ebc1af70f7bf6aeb86e Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Sat, 27 May 2017 13:17:34 +0200 Subject: avcodec/mlpdec: Do not leave invalid values in matrix_out_ch[] on error Fixes: runtime error: index 12 out of bounds for type 'uint8_t [8]' Fixes: 1832/clusterfuzz-testcase-minimized-6574546079449088 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavcodec/mlpdec.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) (limited to 'libavcodec/mlpdec.c') diff --git a/libavcodec/mlpdec.c b/libavcodec/mlpdec.c index c0a23c5f0d..0b0f83658e 100644 --- a/libavcodec/mlpdec.c +++ b/libavcodec/mlpdec.c @@ -729,8 +729,7 @@ static int read_matrix_params(MLPDecodeContext *m, unsigned int substr, GetBitCo av_log(m->avctx, AV_LOG_ERROR, "Number of primitive matrices cannot be greater than %d.\n", max_primitive_matrices); - s->num_primitive_matrices = 0; - return AVERROR_INVALIDDATA; + goto error; } for (mat = 0; mat < s->num_primitive_matrices; mat++) { @@ -743,12 +742,12 @@ static int read_matrix_params(MLPDecodeContext *m, unsigned int substr, GetBitCo av_log(m->avctx, AV_LOG_ERROR, "Invalid channel %d specified as output from matrix.\n", s->matrix_out_ch[mat]); - return AVERROR_INVALIDDATA; + goto error; } if (frac_bits > 14) { av_log(m->avctx, AV_LOG_ERROR, "Too many fractional bits specified.\n"); - return AVERROR_INVALIDDATA; + goto error; } max_chan = s->max_matrix_channel; @@ -770,6 +769,11 @@ static int read_matrix_params(MLPDecodeContext *m, unsigned int substr, GetBitCo } return 0; +error: + s->num_primitive_matrices = 0; + memset(s->matrix_out_ch, 0, sizeof(s->matrix_out_ch)); + + return AVERROR_INVALIDDATA; } /** Read channel parameters. */ -- cgit v1.2.3