From: michaelni via ffmpeg-devel <ffmpeg-devel@ffmpeg.org>
To: ffmpeg-devel@ffmpeg.org
Cc: michaelni <code@ffmpeg.org>
Subject: [FFmpeg-devel] [PATCH] avcodec/hevc/sei: Do not leave invalid values in HEVCSEITDRDI (PR #20675)
Date: Thu, 09 Oct 2025 02:07:52 -0000
Message-ID: <175997567258.65.8366013149215651693@bf249f23a2c8> (raw)
PR #20675 opened by michaelni
URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20675
Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20675.patch
Fixes: 439711052/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-4956250308935680
Fixes: out of array access
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
>From 4e1ade1212daf4b71a5e28a791eeea5b1c13f7e7 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Thu, 9 Oct 2025 03:25:01 +0200
Subject: [PATCH] avcodec/hevc/sei: Do not leave invalid values in HEVCSEITDRDI
Fixes: 439711052/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-4956250308935680
Fixes: out of array access
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
libavcodec/hevc/sei.c | 20 ++++++++++++++------
1 file changed, 14 insertions(+), 6 deletions(-)
diff --git a/libavcodec/hevc/sei.c b/libavcodec/hevc/sei.c
index b8e98cde89..525f524492 100644
--- a/libavcodec/hevc/sei.c
+++ b/libavcodec/hevc/sei.c
@@ -167,18 +167,21 @@ static int decode_nal_sei_timecode(HEVCSEITimeCode *s, GetBitContext *gb)
static int decode_nal_sei_3d_reference_displays_info(HEVCSEITDRDI *s, GetBitContext *gb)
{
+ HEVCSEITDRDI bak = *s;
+
s->prec_ref_display_width = get_ue_golomb(gb);
if (s->prec_ref_display_width > 31)
- return AVERROR_INVALIDDATA;
+ goto fail;
s->ref_viewing_distance_flag = get_bits1(gb);
if (s->ref_viewing_distance_flag) {
s->prec_ref_viewing_dist = get_ue_golomb(gb);
if (s->prec_ref_viewing_dist > 31)
- return AVERROR_INVALIDDATA;
+ goto fail;
}
s->num_ref_displays = get_ue_golomb(gb);
+
if (s->num_ref_displays > 31)
- return AVERROR_INVALIDDATA;
+ goto fail;
s->num_ref_displays += 1;
for (int i = 0; i < s->num_ref_displays; i++) {
@@ -187,7 +190,7 @@ static int decode_nal_sei_3d_reference_displays_info(HEVCSEITDRDI *s, GetBitCont
s->right_view_id[i] = get_ue_golomb(gb);
s->exponent_ref_display_width[i] = get_bits(gb, 6);
if (s->exponent_ref_display_width[i] > 62)
- return AVERROR_INVALIDDATA;
+ goto fail;
else if (!s->exponent_ref_display_width[i])
length = FFMAX(0, (int)s->prec_ref_display_width - 30);
else
@@ -197,7 +200,7 @@ static int decode_nal_sei_3d_reference_displays_info(HEVCSEITDRDI *s, GetBitCont
if (s->ref_viewing_distance_flag) {
s->exponent_ref_viewing_distance[i] = get_bits(gb, 6);
if (s->exponent_ref_viewing_distance[i] > 62)
- return AVERROR_INVALIDDATA;
+ goto fail;
else if (!s->exponent_ref_viewing_distance[i])
length = FFMAX(0, (int)s->prec_ref_viewing_dist - 30);
else
@@ -209,13 +212,18 @@ static int decode_nal_sei_3d_reference_displays_info(HEVCSEITDRDI *s, GetBitCont
if (s->additional_shift_present_flag[i]) {
s->num_sample_shift[i] = get_bits(gb, 10);
if (s->num_sample_shift[i] > 1023)
- return AVERROR_INVALIDDATA;
+ goto fail;
s->num_sample_shift[i] -= 512;
}
}
s->three_dimensional_reference_displays_extension_flag = get_bits1(gb);
return 0;
+fail:
+
+ *s = bak;
+
+ return AVERROR_INVALIDDATA;
}
static int decode_nal_sei_prefix(GetBitContext *gb, GetByteContext *gbyte,
--
2.49.1
_______________________________________________
ffmpeg-devel mailing list -- ffmpeg-devel@ffmpeg.org
To unsubscribe send an email to ffmpeg-devel-leave@ffmpeg.org
reply other threads:[~2025-10-09 2:08 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=175997567258.65.8366013149215651693@bf249f23a2c8 \
--to=ffmpeg-devel@ffmpeg.org \
--cc=code@ffmpeg.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Git Inbox Mirror of the ffmpeg-devel mailing list - see https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
This inbox may be cloned and mirrored by anyone:
git clone --mirror http://master.gitmailbox.com/ffmpegdev/0 ffmpegdev/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 ffmpegdev ffmpegdev/ http://master.gitmailbox.com/ffmpegdev \
ffmpegdev@gitmailbox.com
public-inbox-index ffmpegdev
Example config snippet for mirrors.
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git