Git Inbox Mirror of the ffmpeg-devel mailing list - see https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
 help / color / mirror / Atom feed
* [FFmpeg-devel] [PATCH 1/4] avcodec/evc_ps: Check cpb_cnt_minus1 and propagate error
@ 2023-09-15 13:11 Michael Niedermayer
  2023-09-15 13:11 ` [FFmpeg-devel] [PATCH 2/4] avcodec/evc_ps: Check ref_pic_num and sps_max_dec_pic_buffering_minus1 Michael Niedermayer
                   ` (3 more replies)
  0 siblings, 4 replies; 10+ messages in thread
From: Michael Niedermayer @ 2023-09-15 13:11 UTC (permalink / raw)
  To: FFmpeg development discussions and patches

Fixes: out of array access
Fixes: 60949/clusterfuzz-testcase-minimized-ffmpeg_dem_EVC_fuzzer-5959738853294080

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/evc_ps.c | 27 +++++++++++++++++++++------
 1 file changed, 21 insertions(+), 6 deletions(-)

diff --git a/libavcodec/evc_ps.c b/libavcodec/evc_ps.c
index 64384a392c2..7fe13fd32f0 100644
--- a/libavcodec/evc_ps.c
+++ b/libavcodec/evc_ps.c
@@ -53,6 +53,9 @@ static int ref_pic_list_struct(GetBitContext *gb, RefPicListStruct *rpl)
 static int hrd_parameters(GetBitContext *gb, HRDParameters *hrd)
 {
     hrd->cpb_cnt_minus1 = get_ue_golomb_31(gb);
+    if (hrd->cpb_cnt_minus1 >= FF_ARRAY_ELEMS(hrd->cpb_size_value_minus1))
+        return AVERROR_INVALIDDATA;
+
     hrd->bit_rate_scale = get_bits(gb, 4);
     hrd->cpb_size_scale = get_bits(gb, 4);
     for (int SchedSelIdx = 0; SchedSelIdx <= hrd->cpb_cnt_minus1; SchedSelIdx++) {
@@ -71,6 +74,8 @@ static int hrd_parameters(GetBitContext *gb, HRDParameters *hrd)
 // @see  ISO_IEC_23094-1 (E.2.1 VUI parameters syntax)
 static int vui_parameters(GetBitContext *gb, VUIParameters *vui)
 {
+    int ret;
+
     vui->aspect_ratio_info_present_flag = get_bits(gb, 1);
     if (vui->aspect_ratio_info_present_flag) {
         vui->aspect_ratio_idc = get_bits(gb, 8);
@@ -109,11 +114,18 @@ static int vui_parameters(GetBitContext *gb, VUIParameters *vui)
         vui->fixed_pic_rate_flag = get_bits(gb, 1);
     }
     vui->nal_hrd_parameters_present_flag = get_bits(gb, 1);
-    if (vui->nal_hrd_parameters_present_flag)
-        hrd_parameters(gb, &vui->hrd_parameters);
+    if (vui->nal_hrd_parameters_present_flag) {
+        ret = hrd_parameters(gb, &vui->hrd_parameters);
+        if (ret < 0)
+            return ret;
+    }
+
     vui->vcl_hrd_parameters_present_flag = get_bits(gb, 1);
-    if (vui->vcl_hrd_parameters_present_flag)
-        hrd_parameters(gb, &vui->hrd_parameters);
+    if (vui->vcl_hrd_parameters_present_flag) {
+        ret = hrd_parameters(gb, &vui->hrd_parameters);
+        if (ret < 0)
+            return ret;
+    }
     if (vui->nal_hrd_parameters_present_flag || vui->vcl_hrd_parameters_present_flag)
         vui->low_delay_hrd_flag = get_bits(gb, 1);
     vui->pic_struct_present_flag = get_bits(gb, 1);
@@ -292,8 +304,11 @@ int ff_evc_parse_sps(GetBitContext *gb, EVCParamSets *ps)
     }
 
     sps->vui_parameters_present_flag = get_bits1(gb);
-    if (sps->vui_parameters_present_flag)
-        vui_parameters(gb, &(sps->vui_parameters));
+    if (sps->vui_parameters_present_flag) {
+        ret = vui_parameters(gb, &(sps->vui_parameters));
+        if (ret < 0)
+            goto fail;
+    }
 
     // @note
     // If necessary, add the missing fields to the EVCParserSPS structure
-- 
2.17.1

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".

^ permalink raw reply	[flat|nested] 10+ messages in thread
end of thread, other threads:[~2023-10-03 14:30 UTC | newest]

Thread overview: 10+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-09-15 13:11 [FFmpeg-devel] [PATCH 1/4] avcodec/evc_ps: Check cpb_cnt_minus1 and propagate error Michael Niedermayer
2023-09-15 13:11 ` [FFmpeg-devel] [PATCH 2/4] avcodec/evc_ps: Check ref_pic_num and sps_max_dec_pic_buffering_minus1 Michael Niedermayer
2023-09-15 13:57   ` James Almer
2023-09-15 15:01     ` Michael Niedermayer
2023-09-15 13:11 ` [FFmpeg-devel] [PATCH 3/4] avutil/tx_template: Fix some signed integer overflows in DECL_FFT5() Michael Niedermayer
2023-10-03 14:30   ` Michael Niedermayer
2023-09-15 13:11 ` [FFmpeg-devel] [PATCH 4/4] avcodec/osq: avoid using too large numbers for shifts and integers in update_residue_parameter() Michael Niedermayer
2023-09-15 13:54   ` Paul B Mahol
2023-09-15 14:38     ` Michael Niedermayer
2023-09-22 18:48 ` [FFmpeg-devel] [PATCH 1/4] avcodec/evc_ps: Check cpb_cnt_minus1 and propagate error Michael Niedermayer

Git Inbox Mirror of the ffmpeg-devel mailing list - see https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

This inbox may be cloned and mirrored by anyone:

	git clone --mirror https://master.gitmailbox.com/ffmpegdev/0 ffmpegdev/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 ffmpegdev ffmpegdev/ https://master.gitmailbox.com/ffmpegdev \
		ffmpegdev@gitmailbox.com
	public-inbox-index ffmpegdev

Example config snippet for mirrors.


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git