From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by master.gitmailbox.com (Postfix) with ESMTP id 64A0447640 for ; Fri, 15 Sep 2023 13:57:44 +0000 (UTC) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 2474768C7B8; Fri, 15 Sep 2023 16:57:41 +0300 (EEST) Received: from mail-ot1-f45.google.com (mail-ot1-f45.google.com [209.85.210.45]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id D130368C5FB for ; Fri, 15 Sep 2023 16:57:34 +0300 (EEST) Received: by mail-ot1-f45.google.com with SMTP id 46e09a7af769-6bf58009a8dso1273614a34.1 for ; Fri, 15 Sep 2023 06:57:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1694786253; x=1695391053; darn=ffmpeg.org; h=content-transfer-encoding:in-reply-to:from:content-language :references:to:subject:user-agent:mime-version:date:message-id:from :to:cc:subject:date:message-id:reply-to; bh=mrIaoWkBXQWC5ZttIzX2fbKr5aF0yKj83XW6CG3OBxk=; b=N7vj0rQQ2Tle/3yHpBEMgYqeY014c2858VkZ7zJeXDogO/CNo5ShR2zfAcXJ4zxrJT /qmtqt/p62uTSiTKLuWJ5ufBoJP6eawU7rIotDCkD/vbjVmRIEDpYa48ILzlkF5+7svh QHAFi/iLpbOsd4wszP3PUHML1SXFpAMGEGzYp8+xzoSKWPIuruho4TpohGGZgaa5v610 RaVA6LWJy3vujV0RTKEv51uGhjX8xl5ibYL6hws5uye7BdNdkqj7EwdpbFj7mfpl2Lav T085jU403pOdnYoHD4sZv0oKQwIhwSBHnQEQxqa8rnXgIvzPV9sVfZAEtY0aKz+o6zV0 U0ow== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1694786253; x=1695391053; h=content-transfer-encoding:in-reply-to:from:content-language :references:to:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=mrIaoWkBXQWC5ZttIzX2fbKr5aF0yKj83XW6CG3OBxk=; b=bg5dbaXs5KHHG3rEzvhQFzb2KaP9K+yhJTsQc9Gnm4yaVAmXJo0iJGeK2xMZNFmDic ltfvUr5/pqsHsqEGIYWwO1oc5HVNg7ygCxWIy5hvKhqxm54QnhofhNARn0/bIc/aMW+A TOOogVnw9nG60v0Did4jUdkjRsmjRi6spElWW8o/QC2u1FVyZ01dHf0mal1aL2jQ/Un3 XIYbMXBIS9o83mPkc+JJEdwWP93Y28BNgy68IP8Y8dOlLZoan4ChR0Qb+ryvB5qEhlBW wghDj7Ze41dHW/rgK5mAAJk0i04AiWEE95ayDqysHrviZV/qvneSd7exZxpCEKAbIl2g M3qg== X-Gm-Message-State: AOJu0Ywe8umaNpNQrGJSBQ+653TrSybMmjeQoExRWjG+zWiv6xtmIsoJ VEiAmiKpV5KS3ecDjNUCqcpcWmdlhBM= X-Google-Smtp-Source: AGHT+IFo1rNlBVvhfaobJOdnI+YIeVO5F0o25yXVKVw2Y5bAHHi/TTAOuwipj6+KTGIfJ6YzMFWO8Q== X-Received: by 2002:a05:6830:14c5:b0:6be:fcc2:a3f5 with SMTP id t5-20020a05683014c500b006befcc2a3f5mr1704049otq.37.1694786252904; Fri, 15 Sep 2023 06:57:32 -0700 (PDT) Received: from [192.168.0.10] (host197.190-225-105.telecom.net.ar. [190.225.105.197]) by smtp.gmail.com with ESMTPSA id c20-20020a9d67d4000000b006b94fb2762asm1668303otn.23.2023.09.15.06.57.31 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 15 Sep 2023 06:57:32 -0700 (PDT) Message-ID: <55fe7d49-901c-5055-61e2-975599a903f8@gmail.com> Date: Fri, 15 Sep 2023 10:57:29 -0300 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.15.1 To: ffmpeg-devel@ffmpeg.org References: <20230915131147.5945-1-michael@niedermayer.cc> <20230915131147.5945-2-michael@niedermayer.cc> Content-Language: en-US From: James Almer In-Reply-To: <20230915131147.5945-2-michael@niedermayer.cc> Subject: Re: [FFmpeg-devel] [PATCH 2/4] avcodec/evc_ps: Check ref_pic_num and sps_max_dec_pic_buffering_minus1 X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="us-ascii"; Format="flowed" Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Archived-At: List-Archive: List-Post: On 9/15/2023 10:11 AM, Michael Niedermayer wrote: > Fixes: out of array write > > Found-by: dongsookim@korea.ac.kr > Signed-off-by: Michael Niedermayer > --- > libavcodec/evc_ps.c | 13 +++++++++---- > 1 file changed, 9 insertions(+), 4 deletions(-) > > diff --git a/libavcodec/evc_ps.c b/libavcodec/evc_ps.c > index 7fe13fd32f0..96237ed2911 100644 > --- a/libavcodec/evc_ps.c > +++ b/libavcodec/evc_ps.c > @@ -22,12 +22,15 @@ > #include "evc_ps.h" > > #define EXTENDED_SAR 255 > - > // @see ISO_IEC_23094-1 (7.3.7 Reference picture list structure syntax) > -static int ref_pic_list_struct(GetBitContext *gb, RefPicListStruct *rpl) > +static int ref_pic_list_struct(EVCParserSPS *sps, GetBitContext *gb, RefPicListStruct *rpl) > { > uint32_t delta_poc_st, strp_entry_sign_flag = 0; > rpl->ref_pic_num = get_ue_golomb_long(gb); > + > + if ((unsigned)rpl->ref_pic_num > sps->sps_max_dec_pic_buffering_minus1) > + return AVERROR_INVALIDDATA; > + > if (rpl->ref_pic_num > 0) { > delta_poc_st = get_ue_golomb_long(gb); > > @@ -251,6 +254,8 @@ int ff_evc_parse_sps(GetBitContext *gb, EVCParamSets *ps) > sps->max_num_tid0_ref_pics = get_ue_golomb_31(gb); > else { > sps->sps_max_dec_pic_buffering_minus1 = get_ue_golomb_long(gb); > + if ((unsigned)sps->sps_max_dec_pic_buffering_minus1 > 16 - 1) > + return AVERROR_INVALIDDATA; > sps->long_term_ref_pic_flag = get_bits1(gb); > sps->rpl1_same_as_rpl0_flag = get_bits1(gb); > sps->num_ref_pic_list_in_sps[0] = get_ue_golomb(gb); > @@ -261,7 +266,7 @@ int ff_evc_parse_sps(GetBitContext *gb, EVCParamSets *ps) > } > > for (int i = 0; i < sps->num_ref_pic_list_in_sps[0]; ++i) > - ref_pic_list_struct(gb, &sps->rpls[0][i]); > + ref_pic_list_struct(sps, gb, &sps->rpls[0][i]); Could check and propagate the error value here while at it. > > if (!sps->rpl1_same_as_rpl0_flag) { > sps->num_ref_pic_list_in_sps[1] = get_ue_golomb(gb); > @@ -270,7 +275,7 @@ int ff_evc_parse_sps(GetBitContext *gb, EVCParamSets *ps) > goto fail; > } > for (int i = 0; i < sps->num_ref_pic_list_in_sps[1]; ++i) > - ref_pic_list_struct(gb, &sps->rpls[1][i]); > + ref_pic_list_struct(sps, gb, &sps->rpls[1][i]); Ditto. > } > } > Should be ok. _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".