On Sun, Nov 15, 2020 at 09:37:45PM +0000, Mark Thompson wrote: > On 14/11/2020 10:18, Michael Niedermayer wrote: > > Fixes: index 26 out of bounds for type 'uint8_t [16]' > > Fixes: > > 24913/clusterfuzz-testcase-minimized-ffmpeg_BSF_HEVC_METADATA_fuzzer-6261760693370880 > > > > Found-by: continuous fuzzing process > > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > > Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc> > > --- > > libavcodec/cbs_h265_syntax_template.c | 2 ++ > > 1 file changed, 2 insertions(+) > > > > diff --git a/libavcodec/cbs_h265_syntax_template.c > > b/libavcodec/cbs_h265_syntax_template.c > > index 48fae82d04..8eb6e159f4 100644 > > --- a/libavcodec/cbs_h265_syntax_template.c > > +++ b/libavcodec/cbs_h265_syntax_template.c > > @@ -1405,6 +1405,8 @@ static int > > FUNC(slice_segment_header)(CodedBitstreamContext *ctx, RWContext *rw, > > infer(num_long_term_sps, 0); > > idx_size = 0; > > } > > + if (HEVC_MAX_REFS < current->num_long_term_sps) > > + return AVERROR_INVALIDDATA; > > Please don't put isolated tests in the middle of the template. If it > constrains a value then add it to the constraints on that value. > > > ue(num_long_term_pics, 0, HEVC_MAX_REFS - > > current->num_long_term_sps); > > for (i = 0; i < current->num_long_term_sps + > > > > It would be good if the commit message could include an explanation derived > from the standard, too. > > As far as I can tell the constraint doesn't appear explicitly, but the SPS is > allowed to define more possible long term frames than are actually allowed to > be present at any given moment so we need the tighter bound.
Is the change below what you had in mind ?
commit 72c6c46bb2b31b2822331aff461acccd0a4f9159 (HEAD -> master)
Author: Michael Niedermayer <mich...@niedermayer.cc>
Date: Fri Nov 13 23:15:52 2020 +0100
avcodec/cbs_h265_syntax_template: Better check for num_long_term_sps
As far as we can tell the constraint doesn't appear explicitly, but the SPS
is allowed to
define more possible long term frames than are actually allowed to be
present at any given moment so we need the tighter bound.
Fixes: index 26 out of bounds for type 'uint8_t [16]'
Fixes:
24913/clusterfuzz-testcase-minimized-ffmpeg_BSF_HEVC_METADATA_fuzzer-6261760693370880
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc>
diff --git a/libavcodec/cbs_h265_syntax_template.c
b/libavcodec/cbs_h265_syntax_template.c
index 48fae82d04..30f2bd328c 100644
--- a/libavcodec/cbs_h265_syntax_template.c
+++ b/libavcodec/cbs_h265_syntax_template.c
@@ -1399,7 +1399,7 @@ static int
FUNC(slice_segment_header)(CodedBitstreamContext *ctx, RWContext *rw,
unsigned int idx_size;
if (sps->num_long_term_ref_pics_sps > 0) {
- ue(num_long_term_sps, 0, sps->num_long_term_ref_pics_sps);
+ ue(num_long_term_sps, 0,
FFMIN(sps->num_long_term_ref_pics_sps, HEVC_MAX_REFS));
idx_size = av_log2(sps->num_long_term_ref_pics_sps - 1) +
1;
} else {
infer(num_long_term_sps, 0);
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
Elect your leaders based on what they did after the last election, not
based on what they say before an election.
signature.asc
Description: PGP signature
_______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
