From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100])
	by master.gitmailbox.com (Postfix) with ESMTP id 78E064B986
	for <ffmpegdev@gitmailbox.com>; Thu,  1 Aug 2024 16:17:54 +0000 (UTC)
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 32B9B68D7CC;
	Thu,  1 Aug 2024 19:17:52 +0300 (EEST)
Received: from mail-pl1-f171.google.com (mail-pl1-f171.google.com
 [209.85.214.171])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 4814F68D5E6
 for <ffmpeg-devel@ffmpeg.org>; Thu,  1 Aug 2024 19:17:46 +0300 (EEST)
Received: by mail-pl1-f171.google.com with SMTP id
 d9443c01a7336-1fc49c0aaffso54201965ad.3
 for <ffmpeg-devel@ffmpeg.org>; Thu, 01 Aug 2024 09:17:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20230601; t=1722529063; x=1723133863; darn=ffmpeg.org;
 h=content-transfer-encoding:mime-version:message-id:date:subject:to
 :from:from:to:cc:subject:date:message-id:reply-to;
 bh=bxWIGgm+mn/8ent4/eHnjN4KjcAPLc3hshpYzCWrAL4=;
 b=l5SDZFOgwdKCZpdmY7mP/6fOX4lTzoNDYXrMEkTK8V04SPhxXXZjJwHgAmNX9Zkmee
 3v3au4G93r25UXAaM6OamEm6g/4LcCMqoXhwF0NtVN+Gk0CnR4y3Aww6fnvxVM7kvgoj
 2/vPjR/bYF/ViF8oVYF65H+a3jMep9Zbm1kemYHd+Ii+Xuw8O4b4+eG/U4XUccBXmgkv
 sqqI6sAuGEgnjYmctiaJjKr5bxbA0PFqYrhqPt1qnRKzFXS6FgekiTWxRkR2WGLzc/9D
 hvHtNYDlbS5RMVbheu0cI3cke6pfGI2MG2IOFQN3jRg3TTRydOOVLZn2EREUaG6jkwQb
 /46Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1722529063; x=1723133863;
 h=content-transfer-encoding:mime-version:message-id:date:subject:to
 :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
 bh=bxWIGgm+mn/8ent4/eHnjN4KjcAPLc3hshpYzCWrAL4=;
 b=l/JLRe4/LTo6cJl7JB4CAeW3nfOk82sgmSKiCkOpoI5fEEXMDyGW4gpau7XeUnzsnH
 Nk6jd0zQtE3OXRD3eLCjQ7h7kcMw/iFTovYEEVSjdIEg14b7sKcFnJIYY++8nbL7vVkK
 nq/mQ73fx5DT+x8bkbypp9DvKqwuAAzVhexGiRQb15f5JGY73FFCsdiB9fv62OxlbWmR
 YfBZHmGfmn6no7DPwXzDb85dG7iFVPX4hyXnFINOTIDn2DA0C6c5uVWSULLA37zqyhXV
 7MIVrLAe0symEa4+sQ+/NSR2lAa/qp3cJRWbmm3gdXs9PwSsX5NjHvc65fw1c1pOVtGz
 2rMw==
X-Gm-Message-State: AOJu0Yz3zpBmW3CO/P9vGOnLf3M+rLLuGtQ7Tm3za8AQvAPDQTsWPYC+
 7iWbZxDCq0T1WCDXQdt41LqCftcDw2eUorL5t6RhCQsAoOI03kjrcOykWw==
X-Google-Smtp-Source: AGHT+IGWR70k6qw9ZKF6tJc/IPFMFepT7SmQU5Q7jnS+TY517oeT2rhxZra+3uG1pIY8wT6BEkWAeg==
X-Received: by 2002:a17:902:f682:b0:1fd:d6d8:133e with SMTP id
 d9443c01a7336-1ff5728184bmr8727605ad.14.1722529063151; 
 Thu, 01 Aug 2024 09:17:43 -0700 (PDT)
Received: from localhost.localdomain ([190.194.167.233])
 by smtp.gmail.com with ESMTPSA id
 d9443c01a7336-1ff58f53416sm538075ad.101.2024.08.01.09.17.41
 for <ffmpeg-devel@ffmpeg.org>
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Thu, 01 Aug 2024 09:17:42 -0700 (PDT)
From: James Almer <jamrial@gmail.com>
To: ffmpeg-devel@ffmpeg.org
Date: Thu,  1 Aug 2024 13:18:14 -0300
Message-ID: <20240801161814.7386-1-jamrial@gmail.com>
X-Mailer: git-send-email 2.45.2
MIME-Version: 1.0
Subject: [FFmpeg-devel] [PATCH] avcodec/cbs_h265: don't attempt to read 0
 length elements in sei_3d_reference_displays_info
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>
Archived-At: <https://master.gitmailbox.com/ffmpegdev/20240801161814.7386-1-jamrial@gmail.com/>
List-Archive: <https://master.gitmailbox.com/ffmpegdev/>
List-Post: <mailto:ffmpegdev@gitmailbox.com>

Fixes: 70458/clusterfuzz-testcase-minimized-ffmpeg_BSF_TRACE_HEADERS_fuzzer-5259339779080192
Fixes: Assertion width > 0 && width <= 32 failed at libavcodec/cbs.c:608

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: James Almer <jamrial@gmail.com>
---
 libavcodec/cbs_h265_syntax_template.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/libavcodec/cbs_h265_syntax_template.c b/libavcodec/cbs_h265_syntax_template.c
index f1be30a6c9..12fa185c77 100644
--- a/libavcodec/cbs_h265_syntax_template.c
+++ b/libavcodec/cbs_h265_syntax_template.c
@@ -2307,7 +2307,10 @@ SEI_FUNC(sei_3d_reference_displays_info, (CodedBitstreamContext *ctx, RWContext
         else
             length = FFMAX(0, (int)current->exponent_ref_display_width[i] +
                               (int)current->prec_ref_display_width - 31);
-        ubs(length, mantissa_ref_display_width[i], 1, i);
+        if (length)
+            ubs(length, mantissa_ref_display_width[i], 1, i);
+        else
+            infer(mantissa_ref_display_width[i], 0);
         if (current->ref_viewing_distance_flag) {
             us(6, exponent_ref_viewing_distance[i], 0, 62, 1, i);
             if (!current->exponent_ref_viewing_distance[i])
@@ -2315,7 +2318,10 @@ SEI_FUNC(sei_3d_reference_displays_info, (CodedBitstreamContext *ctx, RWContext
             else
                 length = FFMAX(0, (int)current->exponent_ref_viewing_distance[i] +
                                   (int)current->prec_ref_viewing_dist - 31);
-            ubs(length, mantissa_ref_viewing_distance[i], 1, i);
+            if (length)
+                ubs(length, mantissa_ref_viewing_distance[i], 1, i);
+            else
+                infer(mantissa_ref_viewing_distance[i], 0);
         }
         flags(additional_shift_present_flag[i], 1, i);
         if (current->additional_shift_present_flag[i])
-- 
2.45.2

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".