From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from ffbox0-bg.ffmpeg.org (ffbox0-bg.ffmpeg.org [79.124.17.100]) by master.gitmailbox.com (Postfix) with ESMTPS id E96B44C1D7 for ; Thu, 9 Oct 2025 03:37:42 +0000 (UTC) Authentication-Results: ffbox; dkim=fail (body hash mismatch (got b'bEKX0I9aE8EOMQcGhSOwze5s6UsH/MI6ygyaTEYDSww=', expected b'GIk1MjQrDZxr+SuCMbdEjQZk5QILoLQvGj9lt1BDIqc=')) header.d=ffmpeg.org header.i=@ffmpeg.org header.a=rsa-sha256 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ffmpeg.org; i=@ffmpeg.org; q=dns/txt; s=mail; t=1759980999; h=mime-version : to : date : message-id : reply-to : subject : list-id : list-archive : list-archive : list-help : list-owner : list-post : list-subscribe : list-unsubscribe : from : cc : content-type : content-transfer-encoding : from; bh=bEKX0I9aE8EOMQcGhSOwze5s6UsH/MI6ygyaTEYDSww=; b=qKLRa1EHZrqBij1WqhB/+nHiHnqrClIQ/+BHsjK4NeFEw+J+1sSWzmy4O7IRg3Ym7iwmW QW3yYCLE5ap67UJS335r2VOXqCvyq0vEjgs1clur5UdKkSMlobU0aOKzqaHUpT3UikWml1R 0K5qhASSAv8/uGsd43QnxbvebnkDyXUrJfmKNiMAUhcahyW/XwiPxWGHIgNpKsNc85BJkui SKt77gLztR1/SCpvLj93YlKqBUdINuNEOH9GoGwhUN/Jb+zspa31ppRm+0U3ORHvUpeBMnF z2WNz0Q00a2Aog0SUkGjIOsneD1D6XZ8REkrmFWKaS3p8tgTS+8CaXHT4VSQ== Received: from [172.18.0.2] (unknown [172.19.0.4]) by ffbox0-bg.ffmpeg.org (Postfix) with ESMTP id 054FF68F118; Thu, 9 Oct 2025 06:36:39 +0300 (EEST) ARC-Seal: i=1; cv=none; a=rsa-sha256; d=ffmpeg.org; s=arc; t=1759980971; b=QnIm8JhkecU3XCKbLXo727hnNUYjjErd58UbSTlirvQ4Tlo5eMUlPDqcAxklGrkQ0P+fp vT9Ku7PuBQ9P25v+tuXriGLDoYQHIMFPXrD9ipV4c4EsaLeYdF+GQb4pfIhqowQ2Wytm3lU fi/rQ2BM6COnLnJFnVFse3smAgVk7BTFXHuALrpFH0g1rOakMV9xiN9qsowjPfZ1Y89tnOt HrpUcRutlKbuEV9gIFD/k8IXj4IiXMl9K6idaznbnpnT8vcuTRs/3Fp4laa66Dqdub57KSm 4m8i0WBT8mANUF3+aDmKhF0hxDjGiVjF1o7x3WNSj6UFKPu/6PDmuMeInujw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=ffmpeg.org; s=arc; t=1759980971; h=from : sender : reply-to : subject : date : message-id : to : cc : mime-version : content-type : content-transfer-encoding : content-id : content-description : resent-date : resent-from : resent-sender : resent-to : resent-cc : resent-message-id : in-reply-to : references : list-id : list-help : list-unsubscribe : list-subscribe : list-post : list-owner : list-archive; bh=7vQvwBLnpz3XcyOqHsSSCtnQBDYGuGEKTbh8LlEa36Y=; b=oWPyQR5ljeDRwhU7ZpORO8fYhnVEQuD3TLmiwrm3S9F376xgXfabB7/EHkeokAcUb/4Zl q9IG6hMG62z3UOoXDUueb5SF8tbaKdNhTsY9IM5NW7Uk0lKPIECF71u8MZEBAJfFnxHOpHN DAx7PluRdcgVl8CmfJfHrkhtB5lO7deHGivlqLghDfielFI1muMMkJiTP7v6TT4p2JTjVh9 9d4BTuwBNCMGGcCNAq96Mj/yIGg84novzvLHcI8JXkSrX0Q29QEe4g99yaATt2VN0biraAW BeABa9BEnKwn61N+fwrspaj4XCRAqsoVC688OujrGIM0XrdsFQe1gYrMm4Fg== ARC-Authentication-Results: i=1; ffmpeg.org; dkim=pass header.d=ffmpeg.org header.i=@ffmpeg.org; arc=none; dmarc=pass header.from=ffmpeg.org policy.dmarc=quarantine Authentication-Results: ffmpeg.org; dkim=pass header.d=ffmpeg.org header.i=@ffmpeg.org; arc=none (Message is not ARC signed); dmarc=pass (Used From Domain Record) header.from=ffmpeg.org policy.dmarc=quarantine DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ffmpeg.org; i=@ffmpeg.org; q=dns/txt; s=mail; t=1759980961; h=content-type : mime-version : content-transfer-encoding : from : to : reply-to : subject : date : from; bh=GIk1MjQrDZxr+SuCMbdEjQZk5QILoLQvGj9lt1BDIqc=; b=A597J4k88kjT+48FNAF3yTUhzHJGY0W6r5XBO0TT7XYmrNBn7mSdnNpOaUaqggi2AjZrc 2DHfy51QQtneyepIcWYIH9Gp1MUKa79TKTu0HPySw2iAOSKtqw5119sm8FUKFG7vqhK+476 /b7h05jzALkLUDIlzhLBgPMHA+R9fdo3Aif+lSTv+FJnt1hzR0bGzhT0BLrJZAMo6kIER4F fxW09AZkczn7O4JJWXJnLYWNQ5yhhggUA7AOl7XAsA4YzGjc0OOawrHqiM4RiqukqVqtJNX XRDTGdZBKN5Z21KOlJFKQeplYWKgDuQzKUkENcRitN8Ynww/QfDLQ0GKTsUw== Received: from be50bb5a3685 (code.ffmpeg.org [188.245.149.3]) by ffbox0-bg.ffmpeg.org (Postfix) with ESMTPS id 2B50668EF13 for ; Thu, 9 Oct 2025 06:36:01 +0300 (EEST) MIME-Version: 1.0 To: ffmpeg-devel@ffmpeg.org Date: Thu, 09 Oct 2025 03:36:00 -0000 Message-ID: <175998096154.65.5995348665841419495@bf249f23a2c8> Message-ID-Hash: FDVHYK3NDTR6ODINZROWDRZQJYH5KPGF X-Message-ID-Hash: FDVHYK3NDTR6ODINZROWDRZQJYH5KPGF X-MailFrom: code@ffmpeg.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; header-match-ffmpeg-devel.ffmpeg.org-0; header-match-ffmpeg-devel.ffmpeg.org-1; header-match-ffmpeg-devel.ffmpeg.org-2; header-match-ffmpeg-devel.ffmpeg.org-3; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.10 Precedence: list Reply-To: FFmpeg development discussions and patches Subject: [FFmpeg-devel] [PATCH] avcodec/hevc/sei: prevent storing a potentially bogus num_ref_displays value in HEVCSEITDRDI (PR #20676) List-Id: FFmpeg development discussions and patches Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: From: James Almer via ffmpeg-devel Cc: James Almer Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Archived-At: List-Archive: List-Post: PR #20676 opened by James Almer (jamrial) URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20676 Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20676.patch Supersedes PR #20675 >>From 47473414c5a3329308ce6f0f31947b891ff58156 Mon Sep 17 00:00:00 2001 From: James Almer Date: Thu, 9 Oct 2025 00:31:10 -0300 Subject: [PATCH 1/3] avcodec/hevc/sei: prevent storing a potentially bogus num_ref_displays value in HEVCSEITDRDI Fixes: 439711052/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-4956250308935680 Fixes: out of array access Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: James Almer --- libavcodec/hevc/sei.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/libavcodec/hevc/sei.c b/libavcodec/hevc/sei.c index b8e98cde89..e81dfcbff9 100644 --- a/libavcodec/hevc/sei.c +++ b/libavcodec/hevc/sei.c @@ -167,6 +167,8 @@ static int decode_nal_sei_timecode(HEVCSEITimeCode *s, GetBitContext *gb) static int decode_nal_sei_3d_reference_displays_info(HEVCSEITDRDI *s, GetBitContext *gb) { + unsigned num_ref_displays; + s->prec_ref_display_width = get_ue_golomb(gb); if (s->prec_ref_display_width > 31) return AVERROR_INVALIDDATA; @@ -176,10 +178,10 @@ static int decode_nal_sei_3d_reference_displays_info(HEVCSEITDRDI *s, GetBitCont if (s->prec_ref_viewing_dist > 31) return AVERROR_INVALIDDATA; } - s->num_ref_displays = get_ue_golomb(gb); - if (s->num_ref_displays > 31) + num_ref_displays = get_ue_golomb(gb); + if (num_ref_displays > 31) return AVERROR_INVALIDDATA; - s->num_ref_displays += 1; + s->num_ref_displays = num_ref_displays + 1; for (int i = 0; i < s->num_ref_displays; i++) { int length; -- 2.49.1 >>From 13b9ed162f8ab749ab3b5b7cb214c7bdf6299188 Mon Sep 17 00:00:00 2001 From: James Almer Date: Thu, 9 Oct 2025 00:31:57 -0300 Subject: [PATCH 2/3] avcodec/hevc/sei: don't attempt to use stale values in HEVCSEITDRDI Invalidate the whole struct on SEI reset. Signed-off-by: James Almer --- libavcodec/hevc/hevcdec.c | 2 +- libavcodec/hevc/sei.c | 2 ++ libavcodec/hevc/sei.h | 2 ++ 3 files changed, 5 insertions(+), 1 deletion(-) diff --git a/libavcodec/hevc/hevcdec.c b/libavcodec/hevc/hevcdec.c index b27d1d79e8..8d432a9a1f 100644 --- a/libavcodec/hevc/hevcdec.c +++ b/libavcodec/hevc/hevcdec.c @@ -4106,7 +4106,7 @@ static int hevc_sei_to_context(AVCodecContext *avctx, HEVCSEI *sei) { int ret; - if (sei->tdrdi.num_ref_displays) { + if (sei->tdrdi.present) { AVBufferRef *buf; size_t size; AV3DReferenceDisplaysInfo *tdrdi = av_tdrdi_alloc(sei->tdrdi.num_ref_displays, &size); diff --git a/libavcodec/hevc/sei.c b/libavcodec/hevc/sei.c index e81dfcbff9..5fd4e763b3 100644 --- a/libavcodec/hevc/sei.c +++ b/libavcodec/hevc/sei.c @@ -217,6 +217,8 @@ static int decode_nal_sei_3d_reference_displays_info(HEVCSEITDRDI *s, GetBitCont } s->three_dimensional_reference_displays_extension_flag = get_bits1(gb); + s->present = 1; + return 0; } diff --git a/libavcodec/hevc/sei.h b/libavcodec/hevc/sei.h index c4714bb7c5..d6891d60a6 100644 --- a/libavcodec/hevc/sei.h +++ b/libavcodec/hevc/sei.h @@ -93,6 +93,7 @@ typedef struct HEVCSEITDRDI { uint8_t additional_shift_present_flag[32]; int16_t num_sample_shift[32]; uint8_t three_dimensional_reference_displays_extension_flag; + int present; } HEVCSEITDRDI; typedef struct HEVCSEIRecoveryPoint { @@ -126,6 +127,7 @@ int ff_hevc_decode_nal_sei(GetBitContext *gb, void *logctx, HEVCSEI *s, */ static inline void ff_hevc_reset_sei(HEVCSEI *sei) { + sei->tdrdi.present = 0; ff_h2645_sei_reset(&sei->common); } -- 2.49.1 >>From d224576dac12dfa88ca001eb466c3bda23806f1f Mon Sep 17 00:00:00 2001 From: James Almer Date: Thu, 9 Oct 2025 00:32:39 -0300 Subject: [PATCH 3/3] avcodec/hevc/sei: don't attempt to use stale values in HEVCSEITimeCode Invalidate the whole struct on SEI reset. Signed-off-by: James Almer --- libavcodec/hevc/sei.h | 1 + 1 file changed, 1 insertion(+) diff --git a/libavcodec/hevc/sei.h b/libavcodec/hevc/sei.h index d6891d60a6..2fcd0e8d57 100644 --- a/libavcodec/hevc/sei.h +++ b/libavcodec/hevc/sei.h @@ -127,6 +127,7 @@ int ff_hevc_decode_nal_sei(GetBitContext *gb, void *logctx, HEVCSEI *s, */ static inline void ff_hevc_reset_sei(HEVCSEI *sei) { + sei->timecode.present = 0; sei->tdrdi.present = 0; ff_h2645_sei_reset(&sei->common); } -- 2.49.1 _______________________________________________ ffmpeg-devel mailing list -- ffmpeg-devel@ffmpeg.org To unsubscribe send an email to ffmpeg-devel-leave@ffmpeg.org