PR #21329 opened by frankplow URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21329 Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21329.patch
Backport fixes from #21293 and #21317. >From b0f76db8660bb6925e2bc4348d0e8f017fa61c55 Mon Sep 17 00:00:00 2001 From: Frank Plowman <[email protected]> Date: Wed, 24 Dec 2025 15:35:06 +0000 Subject: [PATCH 1/2] lavc/vvc: Error on inter slice with no reference pics The semantics of sh_num_ref_idx_active_minus1[ i ] state that When the current slice is a P slice, the value of NumRefIdxActive[ 0 ] shall be greater than 0. When the current slice is a B slice, both NumRefIdxActive[ 0 ] and NumRefIdxActive[ 1 ] shall be greater than 0. Fixes: use of uninitialized memory Fixes: 449549597/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VVC_fuzzer-5600497089445888 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Reported-by: Michael Niedermayer [email protected] (cherry picked from commit 90f1f797aa9231375e4858df523fbfeda89bfd79) --- libavcodec/cbs_h266_syntax_template.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/cbs_h266_syntax_template.c b/libavcodec/cbs_h266_syntax_template.c index 8b337c75d0..d9a65a9c19 100644 --- a/libavcodec/cbs_h266_syntax_template.c +++ b/libavcodec/cbs_h266_syntax_template.c @@ -3248,6 +3248,12 @@ static int FUNC(slice_header) (CodedBitstreamContext *ctx, RWContext *rw, FFMIN(ref_pic_lists->rpl_ref_list[i].num_ref_entries, pps->pps_num_ref_idx_default_active_minus1[i] + 1); } + + if (current->num_ref_idx_active[i] <= 0) { + av_log(ctx->log_ctx, AV_LOG_ERROR, + "Inter slice but no reference pictures available for RPL%d.\n", i); + return AVERROR_INVALIDDATA; + } } else { current->num_ref_idx_active[i] = 0; } -- 2.49.1 >From 6849581e70ce68c7bb096fec062a332ed56aa9c9 Mon Sep 17 00:00:00 2001 From: Frank Plowman <[email protected]> Date: Mon, 29 Dec 2025 22:14:53 +0000 Subject: [PATCH 2/2] lavc/vvc: Prevent OOB write to slice_top_left_ctu_x in PPS CBS Prior to the fix, in the case of a tile containing multiple slices (pps_num_exp_slices_in_tile != 0) the number of slices was temporarily allowed to exceed pps_num_slices_in_pic_minus1+1 and therefore VVC_MAX_SLICES. The number of slices was later verified, but while the current slice index was higher than expected it was used to write to a array of size VVC_MAX_SLICES, leading to an OOB write. To rectify this, the patch adds some checks at an earlier stage, to ensure that the slice index i + j at no point exceeds pps_num_slices_in_pic_minus1. Fixes #YWH-PGM40646-30 (cherry picked from commit 72a38c12e5b84ccb30fba88c39ef2a086013af5b) --- libavcodec/cbs_h266_syntax_template.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/libavcodec/cbs_h266_syntax_template.c b/libavcodec/cbs_h266_syntax_template.c index d9a65a9c19..4f6ae76e27 100644 --- a/libavcodec/cbs_h266_syntax_template.c +++ b/libavcodec/cbs_h266_syntax_template.c @@ -2011,6 +2011,12 @@ static int FUNC(pps) (CodedBitstreamContext *ctx, RWContext *rw, slice_top_left_ctu_y[i] = ctu_y; } else { uint16_t slice_height_in_ctus; + int num_uniform_slices; + + if (i + current->pps_num_exp_slices_in_tile[i] > + current->pps_num_slices_in_pic_minus1 + 1) + return AVERROR_INVALIDDATA; + for (j = 0; j < current->pps_num_exp_slices_in_tile[i]; j++) { ues(pps_exp_slice_height_in_ctus_minus1[i][j], 0, @@ -2031,6 +2037,13 @@ static int FUNC(pps) (CodedBitstreamContext *ctx, RWContext *rw, uniform_slice_height = 1 + (j == 0 ? current->row_height_val[tile_y] - 1: current->pps_exp_slice_height_in_ctus_minus1[i][j-1]); + + num_uniform_slices = (remaining_height_in_ctbs_y + uniform_slice_height - 1) + / uniform_slice_height; + if (i + current->pps_num_exp_slices_in_tile[i] + num_uniform_slices > + current->pps_num_slices_in_pic_minus1 + 1) + return AVERROR_INVALIDDATA; + while (remaining_height_in_ctbs_y > uniform_slice_height) { current->slice_height_in_ctus[i + j] = uniform_slice_height; -- 2.49.1 _______________________________________________ ffmpeg-devel mailing list -- [email protected] To unsubscribe send an email to [email protected]
