[FFmpeg-cvslog] avcodec/jpegxl_parser: Check for ctx->skip overflow

[Michael Niedermayer]

ffmpeg | branch: master | Michael Niedermayer <mich...@niedermayer.cc> | Sun 
Sep 10 02:37:47 2023 +0200| [ca09d8a0dcd82e3128e62463231296aaf63ae6f7] | 
committer: Michael Niedermayer

avcodec/jpegxl_parser: Check for ctx->skip overflow

Fixes: out of array access
Fixes: 
62113/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5025082076168192

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=ca09d8a0dcd82e3128e62463231296aaf63ae6f7
---

 libavcodec/jpegxl_parser.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/jpegxl_parser.c b/libavcodec/jpegxl_parser.c
index 4010bc713a..6656ed35c5 100644
--- a/libavcodec/jpegxl_parser.c
+++ b/libavcodec/jpegxl_parser.c
@@ -1326,7 +1326,7 @@ static int skip_boxes(JXLParseContext *ctx, const uint8_t 
*buf, int buf_size)
         if (!size)
             return AVERROR_INVALIDDATA;
         /* invalid ISOBMFF size */
-        if (size <= head_size + 4)
+        if (size <= head_size + 4 || size > INT_MAX - ctx->skip)
             return AVERROR_INVALIDDATA;
 
         ctx->skip += size;

_______________________________________________
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

To unsubscribe, visit link above, or email
ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".