Re: [libav-devel] [PATCH 1/1] h264: check sps.log2_max_frame_num for validity

Thu, 06 Dec 2012 09:33:08 -0800 

On 2012-11-27 12:56:56 +0100, Janne Grunau wrote:
> <caeemt2n3my5kdpilyqhmlfcyoh8s4cokppn4birycolo-f9...@mail.gmail.com>
> 
> On 2012-11-26 07:04:16 -0800, Ronald S. Bultje wrote:
> > Hi,
> > 
> > On Mon, Nov 26, 2012 at 4:27 AM, Janne Grunau <janne-li...@jannau.net> 
> > wrote:
> > > On 2012-11-26 13:22:51 +0100, Kostya Shishkov wrote:
> > >>
> > >> LGTM though I suspect it's useless to check for the minimum size (unless 
> > >> it
> > >> overflows).
> > >
> > > The min check is added to protect against overflows. The sample in the
> > > commit msg doesn't overflow but is only slightly lower than INT_MAX.
> > 
> > Here, too, we should then protect against the actual overflow itself  
> > from happening, not so much check that it just happened.  
> > 
> > number = read_golomb();
> > if number >= MIN_VALUE && number - MIN_VALUE >= MAX_VALUE
> >   error;
> > number += MIN_VALUE;
> 
> I was more worried about the 'overflow' in get_ue_golomb() since I saw
> that already. Checking before the the addition for an overflow works
> too, updated patch attached.
> 
> Janne
> 
> ---8<---
> Fixes infinite or long taking loop in frame num gap code in
> the fuzzed sample bipbop234.ts_s223302.
> 
> CC: libav-sta...@libav.org
> ---
>  libavcodec/h264_ps.c | 16 ++++++++++++++--
>  1 file changed, 14 insertions(+), 2 deletions(-)
> 
> diff --git a/libavcodec/h264_ps.c b/libavcodec/h264_ps.c
> index 810f69f..7490600 100644
> --- a/libavcodec/h264_ps.c
> +++ b/libavcodec/h264_ps.c
> @@ -37,6 +37,9 @@
>  //#undef NDEBUG
>  #include <assert.h>
>  
> +#define MAX_LOG2_MAX_FRAME_NUM    (12 + 4)
> +#define MIN_LOG2_MAX_FRAME_NUM    4
> +
>  static const AVRational pixel_aspect[17]={
>   {0, 1},
>   {1, 1},
> @@ -301,7 +304,7 @@ int ff_h264_decode_seq_parameter_set(H264Context *h){
>      MpegEncContext * const s = &h->s;
>      int profile_idc, level_idc, constraint_set_flags = 0;
>      unsigned int sps_id;
> -    int i;
> +    int i, log2_max_frame_num_minus4;
>      SPS *sps;
>  
>      profile_idc= get_bits(&s->gb, 8);
> @@ -348,7 +351,16 @@ int ff_h264_decode_seq_parameter_set(H264Context *h){
>          sps->bit_depth_chroma = 8;
>      }
>  
> -    sps->log2_max_frame_num= get_ue_golomb(&s->gb) + 4;
> +    log2_max_frame_num_minus4 = get_ue_golomb(&s->gb);
> +    if (log2_max_frame_num_minus4 < MIN_LOG2_MAX_FRAME_NUM - 4 ||
> +        log2_max_frame_num_minus4 > MAX_LOG2_MAX_FRAME_NUM - 4) {
> +        av_log(h->s.avctx, AV_LOG_ERROR,
> +               "log2_max_frame_num_minus4 out of range (0-12): %d\n",
> +               log2_max_frame_num_minus4);
> +        return AVERROR_INVALIDDATA;
> +    }
> +    sps->log2_max_frame_num = log2_max_frame_num_minus4 + 4;
> +
>      sps->poc_type= get_ue_golomb_31(&s->gb);
>  
>      if(sps->poc_type == 0){ //FIXME #define

ping

Janne
_______________________________________________
libav-devel mailing list
libav-devel@libav.org
https://lists.libav.org/mailman/listinfo/libav-devel

Reply via email to