From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by master.gitmailbox.com (Postfix) with ESMTP id D1A1949D50 for ; Tue, 9 Apr 2024 07:55:22 +0000 (UTC) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 92A0068CF0F; Tue, 9 Apr 2024 10:55:19 +0300 (EEST) Received: from wrqvffvh.outbound-mail.sendgrid.net (wrqvffvh.outbound-mail.sendgrid.net [149.72.255.128]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 597F568CE20 for ; Tue, 9 Apr 2024 10:55:13 +0300 (EEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=frankplowman.com; h=from:subject:mime-version:to:cc:content-transfer-encoding: content-type:cc:content-type:from:subject:to; s=s1; bh=wddO5ZkfKmV4Ofwo1ej5kKpS3fshNk0Bzq7d9AnORO4=; b=aMiSE5+PU47EBR9M+b/aTix5NsyGtldmmVDc3f4QHN9mgPEBlfhR3BQNvYe7apHk777J Lno9bHKD7s0uZiwOvWMR4xGcFeULP84NI37H/I4BYnXjBjtSk5aLugFmiW8jEJUaa+Xkxd Lt3YHlSHwcSos+Y1wHMBbOuhSbmHhH7MVEo7CQ0j3e4UxEYrik+ukaZy/S2foRldg7tsWA RKwgEL0YVGGes0NmNqezp6n0hyO1jk60zk2JXvvDItGsC8oMWfCGv6QEImty7rSK/vlQQP mx7Gp2FWvZd/QtLZQRze5ohR6algh7SCVaILlUk0s+yaaMPI6ELl1eGVRMTrFMdA== Received: by recvd-d98d7c8b-ljrlh with SMTP id recvd-d98d7c8b-ljrlh-1-6614F45F-A 2024-04-09 07:55:11.585680537 +0000 UTC m=+396137.015216030 Received: from localhost.localdomain (unknown) by geopod-ismtpd-11 (SG) with ESMTP id gapJE-nCQemHKprdPjLTqg Tue, 09 Apr 2024 07:55:10.969 +0000 (UTC) From: Frank Plowman Date: Tue, 09 Apr 2024 07:55:11 +0000 (UTC) Message-ID: <20240409075507.7576-1-post@frankplowman.com> X-Mailer: git-send-email 2.44.0 MIME-Version: 1.0 X-SG-EID: =?us-ascii?Q?u001=2EZ0KJCHpts8tvDq7PHgz5cpqJ+vJcSmdTtST=2Fg91WT3qAbNxUpEMGIDQq9?= =?us-ascii?Q?1mXy3Yjvepp8fYsFUJzGsyhT1EwBYuG1GFCMXld?= =?us-ascii?Q?osVXE03vj3e06F9g02CB5KPrR4o3ds5pYlB0GC+?= =?us-ascii?Q?mGG0=2FnreDjbROMOO5ZqWLX9spyjbFKbgz2ByxXr?= =?us-ascii?Q?Q9UxnupU68w8uzPOTnU1gF6JoaPKS=2FQA66410X4?= =?us-ascii?Q?8Scb1ERGgr=2Fz8G0QX6SvnU=2F0=2FEDT8icOxoql0mc?= =?us-ascii?Q?t39s?= To: ffmpeg-devel@ffmpeg.org X-Entity-ID: u001.qzljkbu34TNIX4NwfTiKWA== Subject: [FFmpeg-devel] [PATCH] lavc/vvc: Fix buffer overread in CABAC X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Cc: Frank Plowman Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Archived-At: List-Archive: List-Post: The size variable here is taken as gospel for the bounds of the input buffer in later logic. Clamp it to ensure that the returned region does not extend past that allocated in the underlying GetBitContext, even in the case entry point offsets are signalled in the bitstream. Also assert this for good measure. Signed-off-by: Frank Plowman --- libavcodec/vvc/dec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/vvc/dec.c b/libavcodec/vvc/dec.c index 27ffbb741d..a4fc40b40a 100644 --- a/libavcodec/vvc/dec.c +++ b/libavcodec/vvc/dec.c @@ -497,9 +497,11 @@ static void ep_init_cabac_decoder(SliceContext *sc, const int index, skipped++; } size = end - start; + size = av_clip(size, 0, get_bits_left(gb) / 8); } else { size = get_bits_left(gb) / 8; } + av_assert0(gb->buffer + get_bits_count(gb) / 8 + size <= gb->buffer_end); ff_init_cabac_decoder (&ep->cc, gb->buffer + get_bits_count(gb) / 8, size); skip_bits(gb, size * 8); } -- 2.44.0 _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".