Replace the assert in mel_init to an if statement to address an issue with fuzzing. (#1436)

Modified the mel_init code to replace the assert statement with an if statement, returning false when an incorrect sequence of bytes are encountered in the MEL segment.  Similar code should be added to the main MEL decoding subrountine, but the change is more involved; in any case, an incorrect sequence produces incorrect results, but should not be harmful or cause a crash.
This commit is contained in:
Aous Naman 2022-08-12 02:29:40 +10:00 committed by GitHub
parent 59fb7ea736
commit 4da04cd3e8
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 16 additions and 3 deletions

View File

@ -294,7 +294,7 @@ void mel_decode(dec_mel_t *melp)
* @param [in] scup is the length of MEL+VLC segments * @param [in] scup is the length of MEL+VLC segments
*/ */
static INLINE static INLINE
void mel_init(dec_mel_t *melp, OPJ_UINT8* bbuf, int lcup, int scup) OPJ_BOOL mel_init(dec_mel_t *melp, OPJ_UINT8* bbuf, int lcup, int scup)
{ {
int num; int num;
int i; int i;
@ -316,7 +316,9 @@ void mel_init(dec_mel_t *melp, OPJ_UINT8* bbuf, int lcup, int scup)
OPJ_UINT64 d; OPJ_UINT64 d;
int d_bits; int d_bits;
assert(melp->unstuff == OPJ_FALSE || melp->data[0] <= 0x8F); if (melp->unstuff == OPJ_TRUE && melp->data[0] > 0x8F) {
return OPJ_FALSE;
}
d = (melp->size > 0) ? *melp->data : 0xFF; // if buffer is consumed d = (melp->size > 0) ? *melp->data : 0xFF; // if buffer is consumed
// set data to 0xFF // set data to 0xFF
if (melp->size == 1) { if (melp->size == 1) {
@ -332,6 +334,7 @@ void mel_init(dec_mel_t *melp, OPJ_UINT8* bbuf, int lcup, int scup)
} }
melp->tmp <<= (64 - melp->bits); //push all the way up so the first bit melp->tmp <<= (64 - melp->bits); //push all the way up so the first bit
// is the MSB // is the MSB
return OPJ_TRUE;
} }
//************************************************************************/ //************************************************************************/
@ -1374,7 +1377,17 @@ OPJ_BOOL opj_t1_ht_decode_cblk(opj_t1_t *t1,
} }
// init structures // init structures
mel_init(&mel, coded_data, lcup, scup); if (mel_init(&mel, coded_data, lcup, scup) == OPJ_FALSE) {
if (p_manager_mutex) {
opj_mutex_lock(p_manager_mutex);
}
opj_event_msg(p_manager, EVT_ERROR, "Malformed HT codeblock. "
"Incorrect MEL segment sequence.\n");
if (p_manager_mutex) {
opj_mutex_unlock(p_manager_mutex);
}
return OPJ_FALSE;
}
rev_init(&vlc, coded_data, lcup, scup); rev_init(&vlc, coded_data, lcup, scup);
frwd_init(&magsgn, coded_data, lcup - scup, 0xFF); frwd_init(&magsgn, coded_data, lcup - scup, 0xFF);
if (num_passes > 1) { // needs to be tested if (num_passes > 1) { // needs to be tested