From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by master.gitmailbox.com (Postfix) with ESMTP id 715D847CE0 for ; Wed, 18 Oct 2023 13:16:36 +0000 (UTC) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 5E7B568CA4D; Wed, 18 Oct 2023 16:16:33 +0300 (EEST) Received: from EUR05-AM6-obe.outbound.protection.outlook.com (mail-am6eur05olkn2027.outbound.protection.outlook.com [40.92.91.27]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 5C98668C61E for ; Wed, 18 Oct 2023 16:16:27 +0300 (EEST) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=iVvK5rWhCMUAhXaDJ0eufg50UDze3vHxYJncc+ShmuHdg6qSoa9FLqmgkLa90bENpQt9hK01aSKp6WMO/QzOSyOV2Rn0+A6p9PTlkCaD0cDBn/1KN01VQh04IO9S0xKxPBuH6yKWZ5GR3l3WUmQA/uqgPcs3C+QTcFRj7Sa4QKkT9HA7FhTki4uA/20aGu675/wZyT0powW/Tiqp+kDv+jBehnw9MpvuTOPAt2TfPb/N5YvRinzfkKa9Z2qB7g14lCGNtjReIOR0XcnDDrh8XANmcnzN/ZyXee7cn5sH/K6mADZvpccw1JB+3b3VBuzcr2EaKuz4gW1bK9GXCSIaBg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=tcvi32xK1Iym1C745XJJ7LZFUd52R+c5PRzL/Gf/kMI=; b=klDLbcQVGLwrSop7oik5G5/mAdSgExwZQEq6G+FidlXtfDaiQaDcHJcOp4yEjaivmKgP9h1n7/f80MpLtlZDWdD4KxCZEj2xDBAF4O1sviJzQSCgiy10gShfIIkFhYXunYADfRszbAxGu9d/8lUDoxezDm5gmOWxL/P9bdx/cEaXBo4SXDarV0koZPCdHiDzoNpz+tBstT0PmZFVCN7kjWaKYv8PBt2ic9FGbWSwzExR2qIR/6QrnheUQNIjXracNVQP5kQpIRKS9Kff5AyH6NUiiVOFApElD1CTrGBNmjLDSABfLUVVS33NQt9eRAnfUdChO7f/GBskDkRvM/A7Tw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=outlook.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=tcvi32xK1Iym1C745XJJ7LZFUd52R+c5PRzL/Gf/kMI=; b=tCe/ecxGsOg9duCMbvI1vSByTQk1Q/64bKZUbGeJ98HGMIOL35RPOifpHIjyomfzOLwPGkfsKxuvmtqxN2FhfBf7uCH8ks/0RT82evE9ldQa1hWGl/Ja/JjbSq4pH3+aS7oFhnMkpMUnjFm72905GT0zoU3Jd1iPVwjKWyKZLbWKujWBEqKvU0b1nUto/IvB9X/9ezav8F+iNrQfeMguNPv0Zi17vAgzXA8RCuya2y+n/PLFRCYNtk4z5quobUgXEGq490ART/J+3Qk0FdgjERR0dFBrxXvGyZJJ3lMF7XBr6GVa86Yw4oOcwZw4aHN4eooksNb75MEoXrart3U1kw== Received: from AS8P250MB0744.EURP250.PROD.OUTLOOK.COM (2603:10a6:20b:541::14) by PR3P250MB0354.EURP250.PROD.OUTLOOK.COM (2603:10a6:102:17d::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6907.23; Wed, 18 Oct 2023 13:16:24 +0000 Received: from AS8P250MB0744.EURP250.PROD.OUTLOOK.COM ([fe80::3126:4823:194e:6f86]) by AS8P250MB0744.EURP250.PROD.OUTLOOK.COM ([fe80::3126:4823:194e:6f86%5]) with mapi id 15.20.6886.034; Wed, 18 Oct 2023 13:16:24 +0000 Message-ID: Date: Wed, 18 Oct 2023 15:17:41 +0200 User-Agent: Mozilla Thunderbird To: ffmpeg-devel@ffmpeg.org References: <20231018004935.18309-1-michael@niedermayer.cc> <20231018004935.18309-2-michael@niedermayer.cc> Content-Language: en-US From: Andreas Rheinhardt In-Reply-To: <20231018004935.18309-2-michael@niedermayer.cc> X-TMN: [QtpTVbpW/TjfdVXIrcZ3sCzZEbzuTO5PRBWlly2hY+g=] X-ClientProxiedBy: FR4P281CA0190.DEUP281.PROD.OUTLOOK.COM (2603:10a6:d10:ca::15) To AS8P250MB0744.EURP250.PROD.OUTLOOK.COM (2603:10a6:20b:541::14) X-Microsoft-Original-Message-ID: <1bd74fe7-baa7-4733-b2ba-b147b3d79cb2@outlook.com> MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: AS8P250MB0744:EE_|PR3P250MB0354:EE_ X-MS-Office365-Filtering-Correlation-Id: 25d8ee69-ce69-4ec2-a1b7-08dbcfdc6da6 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: 93ki0gweNY0NMM6IHdUbV9Y+jvokHqX2d/2t+JfE06K0nEIPk+pIWDy5GohuYkYR/s7kTZavZpyF/rj72paicsqDyj+rn2NvHhWxDbmVqa+GnokK1ZWnO10ABg2VM+573t43+Lve0WOl36vepDZRsfS92chUsmvvdTVVjW8x+kUD6NncYu6jE4ftGw7o8Kc4SJemeOSMIZ3pJpkPRA4gg0Fs7J9WNeq9Tx1fzOrE5LeOZU3BzCqdfEdsDQ1RJ9wjJZ3jeakwHXYNvkFZm01ZZdXhA1/YkJ7a1sSX5OZhQsa6/7nMKHmDzXW6IxOFTU4kOR299iNCGTQeqqOTNaIrTy0s2xkjzQnAMYSJNd+V+Vax0UwH9/zr2lYY7iH4MKJR04UME2WswzisxrxZPDxEYp/m8kFy/TlGkwdjPHva1SPy9dCtnrDVPU1Q7xrOr5CVW9X9eGgbyaYR0YLsju0NfFK13MDyksFepdkuAw1LYDMPKcfFzdfMZrp9n2Z2rilGausBALKjsnQG4hZcFrX6us9uLjB73J4lohdR7wmFO5qs49vcKH8mGyBMwsHWj0PzCzdpi1nFEEI9TGyx1gTnAZ6PZcPJoys40Y/7suJ4w2Y= X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?B?cGZhVm9pWkZQTUhFYTM4U0VsZ1NGR1Z3Y1pad1RhMnVSTVZJd1NyckNpU3JC?= =?utf-8?B?dkFCS2R3ZU5nbDdxN3lWNk54SEY2aWREcUJHN05icGxWZXFHS1dwMVU5S082?= =?utf-8?B?eXNLVyt1SFNXRkFyR3RwaUE0N21WWld5ZjFGdkdra1ZFQTFzVHNwQjJSRXVN?= =?utf-8?B?Q2hCYmp5MnJ5KzRxQ0diNENGT2t6NWwyOXJUMys1bzBxTTlLbVZUNUU0Y2Np?= =?utf-8?B?OStQT1JwdnZaOGE4NGI4TTc4aHFmY0xwMFMwVndtZm9Ia1hwVlE2UXJvM1JB?= =?utf-8?B?ZWFXaXBQalVLb3ZyM3hGZUdxUVpuS2tIQnFDdmxxRXdFYVlCTmp3N3U5SUhr?= =?utf-8?B?YVlCYUpDNk1PY2E1c2NlTmdTbElLYWp1cCtiYU4yQWI1TnJEcVFPaFFFaGxN?= =?utf-8?B?dEUvK1NHVmg0TnFjWUo2WmRZZllIcTF5SC9NNUtVczcvcDljVG9YdWJIRkpO?= =?utf-8?B?eE10TGp4Yk1VU0FVL2tHRUpDM1g3Zm0wMDFBbGVOUGxRYXVpaENaeVA2cGNl?= =?utf-8?B?aVVIblVKcVl1bEF2MG9YMElXY3J0b2wyRGN4YVBNd21wWmNhSVNCYmQxRzYz?= =?utf-8?B?Snl5c0hTaDZTZjZGcEJqTXMvemQ5SXUyU09MYUVQN2RJWnRrZ3lmOW4vUzd2?= =?utf-8?B?cFFsKzBVK3FPR095NVdveFNSL3lDL1U5eGhMWXcwQzVMbHB0R2w4VnZFWFlH?= =?utf-8?B?dkJNSlF1ZFNBcDdYckNkYkhRQmFZcmpHWDBMeXRoU3krVDhpT2hSRnlUem1v?= =?utf-8?B?TFljSnNtUUZob1BpeHBJU2o4NGhzbkdxVXJteVNBWkt1TktWYTExOVpLbEhZ?= =?utf-8?B?M1JxOEFKalhWTi9GZGxaTWhvaG01cnNJcGFRN3JGVm14bkNBNEhpNmc5T2oy?= =?utf-8?B?cnA3dUhrM3ltZVlmTGpqbWtzbmxmb3hDSTZ0cXIwZDZUVUp2OERiRUM3SmNX?= =?utf-8?B?VVdZbFhGZ05kUUlTYWZwQy9SaTR2MjZyUU9MWVowUFpUZWZsYnBnQXJvMHE3?= =?utf-8?B?QVdKYVlldHRET3dSaGRCQ0hxblVaQm02REpUUlBnOWVFdU5CVXZlQnd0YW5B?= =?utf-8?B?SmhhNUUvMFA5bXdrMDJxcTVUWnpIS0RmajFJaWxBRFVsOUhiTDh5S0ZCTjRz?= =?utf-8?B?VnpDL0tBdjNTNFkzZFBJbzdzTVFIM0d1RUxSbzg1Rkw2ZFZBUzJyYWFXc01S?= =?utf-8?B?WW5zN0V2N3BpbTNYUTRoQWRxNTZhMEI2cTJ2WENnaEVYdUM2aUxmQ1ZXL3hV?= =?utf-8?B?cFJvV1R2Rk5uNWY5aStyUVdLZnI4Z2dwTGFSRHduL1krdTlzUUNlYUx0Qkth?= =?utf-8?B?a1ZhanZjRnNiWGJnb2dxSStzRW5BcFlWaVhFUjgydDJpTlV3NU1VRkdiSEhs?= =?utf-8?B?cmp5YlNhcWR1NU5kMjZOQ0dBemR0TDZsUWpqem1OS2ZWc2ZSQWNueG9SWkJr?= =?utf-8?B?eGtORVA1dUMxWUJKRnFSYVlHVVk1TG5MSzV2cVJDREowekNhRVppQk04MzVF?= =?utf-8?B?UUxMRXBGbzlFcnhQNVM5eHFqamZBa3d2RDlqa0gvbmhNdktrRUJpTVRnNEgr?= =?utf-8?B?YVBwYVNHaHluZTRwUlZWV0psM04rRGw0M3NOMTR4L29zNjJveGk0VVhpK0ts?= =?utf-8?B?bWI0MDYxeWZScUM4Y0NxeXBOT3hKRDB0UnQ4Q08wMnpLSk5KeFVlK0lmYXFJ?= =?utf-8?Q?5JhN1haqVVfgf5Q6o+Xr?= X-OriginatorOrg: outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 25d8ee69-ce69-4ec2-a1b7-08dbcfdc6da6 X-MS-Exchange-CrossTenant-AuthSource: AS8P250MB0744.EURP250.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 18 Oct 2023 13:16:24.5943 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000 X-MS-Exchange-Transport-CrossTenantHeadersStamped: PR3P250MB0354 Subject: Re: [FFmpeg-devel] [PATCH 2/2] avcodec/hevc_ps: Dont leave invalid cpb_cnt_minus1 in the context X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Archived-At: List-Archive: List-Post: Michael Niedermayer: > Fixes: index 32 out of bounds for type 'uint32_t [32]' > Fixes: 63003/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-4685160840560640 > > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > Signed-off-by: Michael Niedermayer > --- > libavcodec/hevc_ps.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/libavcodec/hevc_ps.c b/libavcodec/hevc_ps.c > index a6b64b92e3..f4365ef5b5 100644 > --- a/libavcodec/hevc_ps.c > +++ b/libavcodec/hevc_ps.c > @@ -421,6 +421,7 @@ static int decode_hrd(GetBitContext *gb, int common_inf_present, > if (hdr->cpb_cnt_minus1[i] > 31) { > av_log(NULL, AV_LOG_ERROR, "nb_cpb %d invalid\n", > hdr->cpb_cnt_minus1[i]); > + hdr->cpb_cnt_minus1[i] = 0; > return AVERROR_INVALIDDATA; > } > } There is a second issue here: There can be truncation during the previous assignment, because cpb_cnt_minus1 is uint8_t. So this should be fixed by properly checking the value and only putting it in the parameter set after it has been validated (which also avoids having to reset it). - Andreas _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".