From: James Almer via ffmpeg-devel <ffmpeg-devel@ffmpeg.org>
To: ffmpeg-devel@ffmpeg.org
Cc: James Almer <code@ffmpeg.org>
Subject: [FFmpeg-devel] [PR] avcodec/hevc/ps: Check window parameters (PR #22277)
Date: Tue, 24 Feb 2026 15:45:06 -0000
Message-ID: <177194790659.25.13583325620782252687@29965ddac10e> (raw)
PR #22277 opened by James Almer (jamrial)
URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/22277
Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/22277.patch
>From 97023345f64d0d85b4ec6cc89ffbc9a966f730ab Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Sun, 22 Feb 2026 21:50:37 +0100
Subject: [PATCH 1/2] avcodec/hevc/ps: Factor window reading out
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
libavcodec/hevc/ps.c | 52 +++++++++++++++++++++++++-------------------
libavcodec/hevc/ps.h | 5 +----
2 files changed, 31 insertions(+), 26 deletions(-)
diff --git a/libavcodec/hevc/ps.c b/libavcodec/hevc/ps.c
index 46b38564d5..ca2b8a7112 100644
--- a/libavcodec/hevc/ps.c
+++ b/libavcodec/hevc/ps.c
@@ -62,6 +62,22 @@ static const uint8_t hevc_sub_height_c[] = {
1, 2, 1, 1
};
+static int read_window(HEVCWindow *window, GetBitContext *gb, int chroma_format_idc, int w, int h)
+{
+ int vert_mult = hevc_sub_height_c[chroma_format_idc];
+ int horiz_mult = hevc_sub_width_c [chroma_format_idc];
+ unsigned left = get_ue_golomb_long(gb) * horiz_mult;
+ unsigned right = get_ue_golomb_long(gb) * horiz_mult;
+ unsigned top = get_ue_golomb_long(gb) * vert_mult;
+ unsigned bottom = get_ue_golomb_long(gb) * vert_mult;
+
+ window->left_offset = left;
+ window->right_offset = right;
+ window->top_offset = top;
+ window->bottom_offset = bottom;
+ return 0;
+}
+
static void remove_sps(HEVCParamSets *s, int id)
{
int i;
@@ -702,12 +718,12 @@ static int decode_vps_ext(GetBitContext *gb, AVCodecContext *avctx, HEVCVPS *vps
}
if (get_bits1(gb) /* conformance_window_vps_flag */) {
- int vert_mult = hevc_sub_height_c[vps->rep_format.chroma_format_idc];
- int horiz_mult = hevc_sub_width_c[vps->rep_format.chroma_format_idc];
- vps->rep_format.conf_win_left_offset = get_ue_golomb(gb) * horiz_mult;
- vps->rep_format.conf_win_right_offset = get_ue_golomb(gb) * horiz_mult;
- vps->rep_format.conf_win_top_offset = get_ue_golomb(gb) * vert_mult;
- vps->rep_format.conf_win_bottom_offset = get_ue_golomb(gb) * vert_mult;
+ int ret = read_window(&vps->rep_format.conf_win, gb,
+ vps->rep_format.chroma_format_idc,
+ vps->rep_format.pic_width_in_luma_samples,
+ vps->rep_format.pic_height_in_luma_samples);
+ if (ret < 0)
+ return ret;
}
vps->max_one_active_ref_layer = get_bits1(gb);
@@ -962,12 +978,7 @@ static void decode_vui(GetBitContext *gb, AVCodecContext *avctx,
vui->default_display_window_flag = get_bits1(gb);
if (vui->default_display_window_flag) {
- int vert_mult = hevc_sub_height_c[sps->chroma_format_idc];
- int horiz_mult = hevc_sub_width_c[sps->chroma_format_idc];
- vui->def_disp_win.left_offset = get_ue_golomb_long(gb) * horiz_mult;
- vui->def_disp_win.right_offset = get_ue_golomb_long(gb) * horiz_mult;
- vui->def_disp_win.top_offset = get_ue_golomb_long(gb) * vert_mult;
- vui->def_disp_win.bottom_offset = get_ue_golomb_long(gb) * vert_mult;
+ read_window(&vui->def_disp_win, gb, sps->chroma_format_idc, sps->width, sps->height);
if (apply_defdispwin &&
avctx->flags2 & AV_CODEC_FLAG2_IGNORE_CROP) {
@@ -1281,10 +1292,10 @@ int ff_hevc_parse_sps(HEVCSPS *sps, GetBitContext *gb, unsigned int *sps_id,
sps->width = rf->pic_width_in_luma_samples;
sps->height = rf->pic_height_in_luma_samples;
- sps->pic_conf_win.left_offset = rf->conf_win_left_offset;
- sps->pic_conf_win.right_offset = rf->conf_win_right_offset;
- sps->pic_conf_win.top_offset = rf->conf_win_top_offset;
- sps->pic_conf_win.bottom_offset = rf->conf_win_bottom_offset;
+ sps->pic_conf_win.left_offset = rf->conf_win.left_offset;
+ sps->pic_conf_win.right_offset = rf->conf_win.right_offset;
+ sps->pic_conf_win.top_offset = rf->conf_win.top_offset;
+ sps->pic_conf_win.bottom_offset = rf->conf_win.bottom_offset;
} else {
sps->chroma_format_idc = get_ue_golomb_long(gb);
@@ -1307,12 +1318,9 @@ int ff_hevc_parse_sps(HEVCSPS *sps, GetBitContext *gb, unsigned int *sps_id,
sps->conformance_window = get_bits1(gb);
if (sps->conformance_window) {
- int vert_mult = hevc_sub_height_c[sps->chroma_format_idc];
- int horiz_mult = hevc_sub_width_c[sps->chroma_format_idc];
- sps->pic_conf_win.left_offset = get_ue_golomb_long(gb) * horiz_mult;
- sps->pic_conf_win.right_offset = get_ue_golomb_long(gb) * horiz_mult;
- sps->pic_conf_win.top_offset = get_ue_golomb_long(gb) * vert_mult;
- sps->pic_conf_win.bottom_offset = get_ue_golomb_long(gb) * vert_mult;
+ ret = read_window(&sps->pic_conf_win, gb, sps->chroma_format_idc, sps->width, sps->height);
+ if (ret < 0)
+ return ret;
if (avctx->flags2 & AV_CODEC_FLAG2_IGNORE_CROP) {
av_log(avctx, AV_LOG_DEBUG,
diff --git a/libavcodec/hevc/ps.h b/libavcodec/hevc/ps.h
index d620887b8e..f5c5f81a6e 100644
--- a/libavcodec/hevc/ps.h
+++ b/libavcodec/hevc/ps.h
@@ -162,10 +162,7 @@ typedef struct RepFormat {
uint8_t separate_colour_plane_flag;
uint8_t bit_depth_luma; ///< bit_depth_vps_luma_minus8 + 8
uint8_t bit_depth_chroma; ///< bit_depth_vps_chroma_minus8 + 8
- uint16_t conf_win_left_offset;
- uint16_t conf_win_right_offset;
- uint16_t conf_win_top_offset;
- uint16_t conf_win_bottom_offset;
+ HEVCWindow conf_win;
} RepFormat;
typedef struct HEVCVPS {
--
2.52.0
>From 3b3127850a2565c62c4d8d982ff1f5dad3de371c Mon Sep 17 00:00:00 2001
From: James Almer <jamrial@gmail.com>
Date: Tue, 24 Feb 2026 12:33:47 -0300
Subject: [PATCH 2/2] avcodec/hevc/ps: Check window parameters
Fixes: signed integer overflow: -1094995529 * 2 cannot be represented in type 'int'
Fixes: 484567435/clusterfuzz-testcase-minimized-ffmpeg_dem_HXVS_fuzzer-5628836988649472
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: James Almer <jamrial@gmail.com>
---
libavcodec/hevc/ps.c | 48 +++++++++++++++++++++++++++-----------------
1 file changed, 30 insertions(+), 18 deletions(-)
diff --git a/libavcodec/hevc/ps.c b/libavcodec/hevc/ps.c
index ca2b8a7112..df4039a2a3 100644
--- a/libavcodec/hevc/ps.c
+++ b/libavcodec/hevc/ps.c
@@ -66,15 +66,19 @@ static int read_window(HEVCWindow *window, GetBitContext *gb, int chroma_format_
{
int vert_mult = hevc_sub_height_c[chroma_format_idc];
int horiz_mult = hevc_sub_width_c [chroma_format_idc];
- unsigned left = get_ue_golomb_long(gb) * horiz_mult;
- unsigned right = get_ue_golomb_long(gb) * horiz_mult;
- unsigned top = get_ue_golomb_long(gb) * vert_mult;
- unsigned bottom = get_ue_golomb_long(gb) * vert_mult;
+ unsigned left = get_ue_golomb_long(gb);
+ unsigned right = get_ue_golomb_long(gb);
+ unsigned top = get_ue_golomb_long(gb);
+ unsigned bottom = get_ue_golomb_long(gb);
- window->left_offset = left;
- window->right_offset = right;
- window->top_offset = top;
- window->bottom_offset = bottom;
+ if (left > w || right > w ||
+ top > h || bottom > h)
+ return AVERROR_INVALIDDATA;
+
+ window->left_offset = left * horiz_mult;
+ window->right_offset = right * horiz_mult;
+ window->top_offset = top * vert_mult;
+ window->bottom_offset = bottom * vert_mult;
return 0;
}
@@ -699,6 +703,10 @@ static int decode_vps_ext(GetBitContext *gb, AVCodecContext *avctx, HEVCVPS *vps
vps->rep_format.pic_width_in_luma_samples = get_bits(gb, 16);
vps->rep_format.pic_height_in_luma_samples = get_bits(gb, 16);
+ if (vps->rep_format.pic_width_in_luma_samples > HEVC_MAX_WIDTH ||
+ vps->rep_format.pic_height_in_luma_samples > HEVC_MAX_HEIGHT)
+ return AVERROR_INVALIDDATA;
+
if (!get_bits1(gb) /* chroma_and_bit_depth_vps_present_flag */) {
av_log(avctx, AV_LOG_ERROR,
"chroma_and_bit_depth_vps_present_flag=0 in first rep_format\n");
@@ -935,7 +943,7 @@ err:
return ret;
}
-static void decode_vui(GetBitContext *gb, AVCodecContext *avctx,
+static int decode_vui(GetBitContext *gb, AVCodecContext *avctx,
int apply_defdispwin, HEVCSPS *sps)
{
VUI backup_vui, *vui = &sps->vui;
@@ -978,7 +986,7 @@ static void decode_vui(GetBitContext *gb, AVCodecContext *avctx,
vui->default_display_window_flag = get_bits1(gb);
if (vui->default_display_window_flag) {
- read_window(&vui->def_disp_win, gb, sps->chroma_format_idc, sps->width, sps->height);
+ int ret = read_window(&vui->def_disp_win, gb, sps->chroma_format_idc, sps->width, sps->height);
if (apply_defdispwin &&
avctx->flags2 & AV_CODEC_FLAG2_IGNORE_CROP) {
@@ -994,7 +1002,8 @@ static void decode_vui(GetBitContext *gb, AVCodecContext *avctx,
vui->def_disp_win.right_offset =
vui->def_disp_win.top_offset =
vui->def_disp_win.bottom_offset = 0;
- }
+ } else if (ret < 0)
+ return ret;
}
timing_info:
@@ -1055,6 +1064,8 @@ timing_info:
alt = 1;
goto timing_info;
}
+
+ return 0;
}
static void set_default_scaling_list_data(ScalingList *sl)
@@ -1312,15 +1323,12 @@ int ff_hevc_parse_sps(HEVCSPS *sps, GetBitContext *gb, unsigned int *sps_id,
sps->width = get_ue_golomb_long(gb);
sps->height = get_ue_golomb_long(gb);
- if ((ret = av_image_check_size(sps->width,
- sps->height, 0, avctx)) < 0)
+ if (sps->width > HEVC_MAX_WIDTH || sps->height > HEVC_MAX_HEIGHT)
return ret;
sps->conformance_window = get_bits1(gb);
if (sps->conformance_window) {
ret = read_window(&sps->pic_conf_win, gb, sps->chroma_format_idc, sps->width, sps->height);
- if (ret < 0)
- return ret;
if (avctx->flags2 & AV_CODEC_FLAG2_IGNORE_CROP) {
av_log(avctx, AV_LOG_DEBUG,
@@ -1335,7 +1343,8 @@ int ff_hevc_parse_sps(HEVCSPS *sps, GetBitContext *gb, unsigned int *sps_id,
sps->pic_conf_win.right_offset =
sps->pic_conf_win.top_offset =
sps->pic_conf_win.bottom_offset = 0;
- }
+ } else if (ret < 0)
+ return ret;
}
sps->bit_depth = get_ue_golomb_31(gb) + 8;
@@ -1512,8 +1521,11 @@ int ff_hevc_parse_sps(HEVCSPS *sps, GetBitContext *gb, unsigned int *sps_id,
sps->strong_intra_smoothing_enabled = get_bits1(gb);
sps->vui.common.sar = (AVRational){0, 1};
sps->vui_present = get_bits1(gb);
- if (sps->vui_present)
- decode_vui(gb, avctx, apply_defdispwin, sps);
+ if (sps->vui_present) {
+ ret = decode_vui(gb, avctx, apply_defdispwin, sps);
+ if (ret < 0)
+ return ret;
+ }
sps->extension_present = get_bits1(gb);
if (sps->extension_present) {
--
2.52.0
_______________________________________________
ffmpeg-devel mailing list -- ffmpeg-devel@ffmpeg.org
To unsubscribe send an email to ffmpeg-devel-leave@ffmpeg.org
reply other threads:[~2026-02-24 21:42 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=177194790659.25.13583325620782252687@29965ddac10e \
--to=ffmpeg-devel@ffmpeg.org \
--cc=code@ffmpeg.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Git Inbox Mirror of the ffmpeg-devel mailing list - see https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
This inbox may be cloned and mirrored by anyone:
git clone --mirror https://master.gitmailbox.com/ffmpegdev/0 ffmpegdev/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 ffmpegdev ffmpegdev/ https://master.gitmailbox.com/ffmpegdev \
ffmpegdev@gitmailbox.com
public-inbox-index ffmpegdev
Example config snippet for mirrors.
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git