From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by master.gitmailbox.com (Postfix) with ESMTPS id 66D224E4E6 for ; Sat, 3 May 2025 17:56:46 +0000 (UTC) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 8458768BAAD; Sat, 3 May 2025 20:55:53 +0300 (EEST) Received: from mail-wm1-f50.google.com (mail-wm1-f50.google.com [209.85.128.50]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id B9E3B68B882 for ; Sat, 3 May 2025 20:55:40 +0300 (EEST) Received: by mail-wm1-f50.google.com with SMTP id 5b1f17b1804b1-4394a0c65fcso28511715e9.1 for ; Sat, 03 May 2025 10:55:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jkqxz-net.20230601.gappssmtp.com; s=20230601; t=1746294940; x=1746899740; darn=ffmpeg.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=ypxfAk3Y4jESTOeaGQTuaOGBYL+XYoQC3mHTjaVFKQo=; b=w08usaSfmC+Cj/LsXgkaAWVNUYGzPvus0TF0k/Zgsgh2zmszknD5V76scQptYLonzX gI+KQnwkuRN3vSKhRkE8zptMkUBnEh+XW+czomW3vLeDMMKueRdt35tVz1XswsbKq3Y1 ggnQEOev9NWfqguhnOAJqdw9bJ35iBmI0wWaA5FfuAOg5bEfv5y4oVWryDM/x8XnPzmy aOCzLwA5AZHPv4wkrlwnXzSdWoo1U4WJejIqJADYD+ybbfWJiNRVafHMQB3rYuvr0K5O Wm9csxRjHXqcbdwHdhRivhLzfc/LsPAftOGM/UY7ehHdvgKHLLa0rBlbpzQd8M0N1/vL xVcA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1746294940; x=1746899740; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=ypxfAk3Y4jESTOeaGQTuaOGBYL+XYoQC3mHTjaVFKQo=; b=tquomgoFtjSdJJulX3hvLAyVtuanDJxRyzWyG0r9BsSpeSZqBROas8Cl0HFt8SU3IG koWR94keVaNviD8VzrUzB0vxHdNvtxDT8+dCrLyCHRmluSJ7LPmQkwX2v9wpJzPQdy36 RZvvR2YviZqCU3Cr88SCH/eTM9i+vpLTwslWx2GDo28RGD3iu/Nf/VztLNrc+zPaC8XB bfP7XBA2o0lxaB2F2DCpB9ibkYQ8fKYSfb1QWfucsqp7hIQYFphlLvhjXWgg8YGVJ2Y9 31JD8MnabYvFVGK1yMJnWFaSTOd8M4vYdpQvHHB6PyqxIvfTqI4/vIqI9RlGQfuw8SnV GMdg== X-Gm-Message-State: AOJu0Yxy8/e6K0DlEJ3pl3YcDE4vUTLBUVL9BtEa5THJxE9Er/JVeCwB EjJjDZpjvLyTXunDgwbgCu7tpUkxAujKxtP51iJelB9+GXOideXPloZyhzivoKX3sFdPkOzPc7L aF8ttdw== X-Gm-Gg: ASbGncvj1FXwSeeWSpnssxcwKvS9xJHeWvt65m0zYLjLXFrgcdrplZkTPkL5MxBmqIz dO3hVpOibWZJQgKgAwDqzBHJfHazfrOjZnnUWLju3aeQoAMIR4TUThHDmPCkvngp5KT88lPOp5t qm/ftVk+k5U8v7CHQgmhbgKDtwxQQunW4RMOeN7lgCj8qsT4EwjGPA2WVPG6BYAOuHN423qHDbM SycKqwaVS51amyrWK9LRKlcc2VKoK3XIBxLPoPR1vu6qbPQzr2Qf3Zlu6+Gkoxg6c3aDbsAScVP GtR3GL+dDP6XZn+ftnSshXlnFnGZHtYbTUJRK4FWuJ442NoEhuk+GctQ2Zfw3TSBaLd9LohwGdU Rb8M+UNVj9SpQoPz/aHWIic0= X-Google-Smtp-Source: AGHT+IELrmAzYm0ktLZcqTBMuc0K7DeFapQ2IOKqSE7e/DKNcX8S+TwGbKmbm3sEJW4pAwSi8nUSWg== X-Received: by 2002:a05:600c:5124:b0:440:8fcd:cf16 with SMTP id 5b1f17b1804b1-441c48dbe7cmr11219195e9.19.1746294939912; Sat, 03 May 2025 10:55:39 -0700 (PDT) Received: from localhost.localdomain (cpc92320-cmbg19-2-0-cust719.5-4.cable.virginm.net. [82.13.66.208]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-441b8a3156asm80683645e9.38.2025.05.03.10.55.39 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 03 May 2025 10:55:39 -0700 (PDT) From: Mark Thompson To: ffmpeg-devel@ffmpeg.org Date: Sat, 3 May 2025 18:55:22 +0100 Message-ID: <20250503175527.1517092-6-sw@jkqxz.net> X-Mailer: git-send-email 2.47.2 In-Reply-To: <20250503175527.1517092-1-sw@jkqxz.net> References: <20250503175527.1517092-1-sw@jkqxz.net> MIME-Version: 1.0 Subject: [FFmpeg-devel] [PATCH 6/6] cbs_apv: Check tile component sizes X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Archived-At: List-Archive: List-Post: It was possible for the buffer pointers for the last tile to go over the end of the unit buffer leading to a read overflow during decode of the macroblock layer. Check all tile component sizes to prevent this case and also catch related tile size mismatch errors earlier. --- libavcodec/cbs_apv_syntax_template.c | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/libavcodec/cbs_apv_syntax_template.c b/libavcodec/cbs_apv_syntax_template.c index b6681681d4..ca66349141 100644 --- a/libavcodec/cbs_apv_syntax_template.c +++ b/libavcodec/cbs_apv_syntax_template.c @@ -189,10 +189,12 @@ static int FUNC(frame_header)(CodedBitstreamContext *ctx, RWContext *rw, } static int FUNC(tile_header)(CodedBitstreamContext *ctx, RWContext *rw, - APVRawTileHeader *current, int tile_idx) + APVRawTileHeader *current, + int tile_idx, uint32_t tile_size) { const CodedBitstreamAPVContext *priv = ctx->priv_data; uint16_t expected_tile_header_size; + uint32_t tile_size_remaining; uint8_t max_qp; int err; @@ -203,8 +205,10 @@ static int FUNC(tile_header)(CodedBitstreamContext *ctx, RWContext *rw, u(16, tile_index, tile_idx, tile_idx); + tile_size_remaining = tile_size - current->tile_header_size; for (int c = 0; c < priv->num_comp; c++) { - us(32, tile_data_size[c], 1, MAX_UINT_BITS(32), 1, c); + us(32, tile_data_size[c], 1, tile_size_remaining, 1, c); + tile_size_remaining -= current->tile_data_size[c]; } max_qp = 3 + priv->bit_depth * 6; @@ -218,12 +222,14 @@ static int FUNC(tile_header)(CodedBitstreamContext *ctx, RWContext *rw, } static int FUNC(tile)(CodedBitstreamContext *ctx, RWContext *rw, - APVRawTile *current, int tile_idx) + APVRawTile *current, + int tile_idx, uint32_t tile_size) { const CodedBitstreamAPVContext *priv = ctx->priv_data; int err; - CHECK(FUNC(tile_header)(ctx, rw, ¤t->tile_header, tile_idx)); + CHECK(FUNC(tile_header)(ctx, rw, ¤t->tile_header, + tile_idx, tile_size)); for (int c = 0; c < priv->num_comp; c++) { uint32_t comp_size = current->tile_header.tile_data_size[c]; @@ -257,7 +263,8 @@ static int FUNC(frame)(CodedBitstreamContext *ctx, RWContext *rw, for (int t = 0; t < priv->tile_info.num_tiles; t++) { us(32, tile_size[t], 10, MAX_UINT_BITS(32), 1, t); - CHECK(FUNC(tile)(ctx, rw, ¤t->tile[t], t)); + CHECK(FUNC(tile)(ctx, rw, ¤t->tile[t], + t, current->tile_size[t])); } CHECK(FUNC(filler)(ctx, rw, ¤t->filler)); -- 2.47.2 _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".