From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from ffbox0-bg.ffmpeg.org (ffbox0-bg.ffmpeg.org [79.124.17.100]) by master.gitmailbox.com (Postfix) with ESMTPS id DE36B4F187 for ; Sat, 17 May 2025 05:52:13 +0000 (UTC) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.ffmpeg.org (Postfix) with ESMTP id B882468D17C; Sat, 17 May 2025 08:52:09 +0300 (EEST) Received: from mail-pf1-f181.google.com (mail-pf1-f181.google.com [209.85.210.181]) by ffbox0-bg.ffmpeg.org (Postfix) with ESMTPS id 5ABC468D08B for ; Sat, 17 May 2025 08:52:02 +0300 (EEST) Received: by mail-pf1-f181.google.com with SMTP id d2e1a72fcca58-7423fb98cb1so3177372b3a.3 for ; Fri, 16 May 2025 22:52:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1747461120; x=1748065920; darn=ffmpeg.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=xpgxX5QE6n1P+ZONrCQzO/3INMv5iVrBc8XadYcOzpU=; b=YRecA3k//KGBxwJXipuo6QbqoSd6SzemStqls5jKH6qiJgIrR9dfnZaQbMdRIaI5Sf CXIfELSFaunvl4/KI8XaH5cJ+wSrNHdvBSnomcPzZ7TymLtM05tGdN15CkGrjnYvSPt1 DDpZ5qVm4Tp/i594cdEYwR3lQeLb62iih8E550LFMf7ELrPmzTFvHUjoHCoqVMW7abPa 5YCE+YQIpBSREhMIYX9R0HOTPLxlFSJiB/XgMQGh7gBFnvgyLEqwXjTyAKQa0pYWQsK5 tS0QEH++v20lLtWitSHBbVFetbbcVI+NMpTWFOtHnSP52CgqHOhwgnuDni+J1xH+Xxoa +eHQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1747461120; x=1748065920; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=xpgxX5QE6n1P+ZONrCQzO/3INMv5iVrBc8XadYcOzpU=; b=f9ej8jAGct3BBDnY+yIb/0JcSkpAfEcHqD4E3SC7m6zoqaFJPZL2go0BstzE3XLwDF LyqL8PnjleCogEIVVXx+3H5ru832NJ0PdiKePku8uiZ2nZzN31cE0Yxog69heL/e3fVQ o+XKgpTUoE2ExItenbxegE9va2w3Osy/7UBtkn+BV0lopjlkxrUwOPNujECBV5f7XOug vnkCe6wT/VSyQxgj3pN97IaS43G/aSq8eGhI+2WOeX+/AnLvAsXPzDcvlSA2nEB+dFF8 Ki3M228q4djYV+vNj0n2J0dfzhmMUzrUbU3kZ5ANVLlluW2N5EaC+nGwPJWni65PVEjo MaxA== X-Gm-Message-State: AOJu0Yx66pWTB2Yre9JAjOXK6niD0HWbCxFTguksQ6QLnnuBhPNBhtA/ FxkvJcykYtsf6BaAX7f0raDcBLeyhIxcJHNk7Zy2UF9ksTs4lUR24VvcBMqhoQ== X-Gm-Gg: ASbGnctaoHW5KMC8U9tW2z+9Sph0ikooynb0K4ez+1PJSyAlAVmEIuwGC9b0Jf21qV7 DLsxqLbQTOgM31ggGSV1ztSxTdldWz88IVxg7KsMpKfclUUIk7Kiqijt4bo4UGFwnsSrGip//D4 sD+9SDkVS4Cmi8I1OKhHFCzK++DQpw5N3D3FEvlvKwM/eEAklD5VMyJ7wxiLfYrBkIwrBZXHJUn gGqszUpBJi/fZBHup2DikH425uYDFRL6ABnPjsEMi3wNf54j25YRVC6iIB2MPfZW2ru16WwtptB JVhrPqGGBTz4C6CzrOlfjGHWJu1uPLDEQMk3M7pzgIX2aw== X-Google-Smtp-Source: AGHT+IGtIUniFgMpkYJwbulFILFRQjBL58bHm55p81gXDuSGEvrZqNnMBcPE8NFbfL8GysnInF3wPA== X-Received: by 2002:a05:6a21:3993:b0:1f5:56fe:b437 with SMTP id adf61e73a8af0-216219b13demr10108900637.32.1747461120203; Fri, 16 May 2025 22:52:00 -0700 (PDT) Received: from localhost ([112.65.11.72]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-30e7d4aa777sm2569556a91.21.2025.05.16.22.51.59 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 16 May 2025 22:51:59 -0700 (PDT) From: Nuo Mi To: ffmpeg-devel@ffmpeg.org, toqsxw@gmail.com Date: Sat, 17 May 2025 13:51:50 +0800 Message-Id: <20250517055150.807683-1-nuomi2021@gmail.com> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 Subject: [FFmpeg-devel] [PATCH] lavc/vvc/plt: validate run and signalled_entries X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Cc: Nuo Mi Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Archived-At: List-Archive: List-Post: Fixes a crash triggered by a fuzzed clip: https://github.com/ffvvc/tests/tree/main/fuzz/passed/000256.bit Reproduce with: ffmpeg -i 000256.bit -f null - --- libavcodec/vvc/ctu.c | 28 +++++++++++++++++++++++----- 1 file changed, 23 insertions(+), 5 deletions(-) diff --git a/libavcodec/vvc/ctu.c b/libavcodec/vvc/ctu.c index 62c9d4f5c0..ba4c89b1d1 100644 --- a/libavcodec/vvc/ctu.c +++ b/libavcodec/vvc/ctu.c @@ -1845,7 +1845,7 @@ static TransformUnit* palette_add_tu(VVCLocalContext *lc, const int start, const return tu; } -static void palette_predicted(VVCLocalContext *lc, const bool local_dual_tree, int start, int end, +static int palette_predicted(VVCLocalContext *lc, const bool local_dual_tree, int start, int end, bool *predictor_reused, const int predictor_size, const int max_entries) { CodingUnit *cu = lc->cu; @@ -1863,6 +1863,10 @@ static void palette_predicted(VVCLocalContext *lc, const bool local_dual_tree, i if (run > 1) i += run - 1; + + if (i >= predictor_size) + return AVERROR_INVALIDDATA; + predictor_reused[i] = true; for (int c = start; c < end; c++) cu->plt[c].entries[nb_predicted] = lc->ep->pp[c].entries[i]; @@ -1871,9 +1875,11 @@ static void palette_predicted(VVCLocalContext *lc, const bool local_dual_tree, i for (int c = start; c < end; c++) cu->plt[c].size = nb_predicted; + + return 0; } -static void palette_signaled(VVCLocalContext *lc, const bool local_dual_tree, +static int palette_signaled(VVCLocalContext *lc, const bool local_dual_tree, const int start, const int end, const int max_entries) { const VVCSPS *sps = lc->fc->ps.sps; @@ -1883,6 +1889,9 @@ static void palette_signaled(VVCLocalContext *lc, const bool local_dual_tree, const int size = nb_predicted + nb_signaled; const bool dual_tree_luma = local_dual_tree && cu->tree_type == DUAL_TREE_LUMA; + if (size > max_entries) + return AVERROR_INVALIDDATA; + for (int c = start; c < end; c++) { Palette *plt = cu->plt + c; for (int i = nb_predicted; i < size; i++) { @@ -1894,6 +1903,8 @@ static void palette_signaled(VVCLocalContext *lc, const bool local_dual_tree, } plt->size = size; } + + return 0; } static void palette_update_predictor(VVCLocalContext *lc, const bool local_dual_tree, int start, int end, @@ -2070,7 +2081,7 @@ static int hls_palette_coding(VVCLocalContext *lc, const VVCTreeType tree_type) int max_index = 0; int prev_run_pos = 0; - int predictor_size, start, end; + int predictor_size, start, end, ret; bool reused[VVC_MAX_NUM_PALETTE_PREDICTOR_SIZE]; uint8_t run_type[MAX_PALETTE_CU_SIZE * MAX_PALETTE_CU_SIZE]; uint8_t index[MAX_PALETTE_CU_SIZE * MAX_PALETTE_CU_SIZE]; @@ -2082,8 +2093,15 @@ static int hls_palette_coding(VVCLocalContext *lc, const VVCTreeType tree_type) predictor_size = pp[start].size; memset(reused, 0, sizeof(reused[0]) * predictor_size); - palette_predicted(lc, local_dual_tree, start, end, reused, predictor_size, max_entries); - palette_signaled(lc, local_dual_tree, start, end, max_entries); + + ret = palette_predicted(lc, local_dual_tree, start, end, reused, predictor_size, max_entries); + if (ret < 0) + return ret; + + ret = palette_signaled(lc, local_dual_tree, start, end, max_entries); + if (ret < 0) + return ret; + palette_update_predictor(lc, local_dual_tree, start, end, reused, predictor_size); if (cu->plt[start].size > 0) -- 2.34.1 _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".