summaryrefslogtreecommitdiff
path: root/libavcodec/cbs_sei_syntax_template.c
diff options
context:
space:
mode:
authorMark Thompson <sw@jkqxz.net>2021-02-02 20:58:11 +0000
committerMark Thompson <sw@jkqxz.net>2021-03-12 22:45:33 +0000
commit2c96e6cb955af3062e78c5b0f9fb907cfb2e59e3 (patch)
tree23f0583aba572b823d56f343bd622f8e490c5adb /libavcodec/cbs_sei_syntax_template.c
parentb128b0ce2203f96ff86969f6d0039827a7f00378 (diff)
downloadffmpeg-2c96e6cb955af3062e78c5b0f9fb907cfb2e59e3.tar.gz
cbs_sei: Detect payload overflows when reading SEI messages
The top-level GetBitContext is sized for the whole NAL unit, so it fails to detect overflows where a payload continues into the following message. To fix that, we make a new context on the stack for reading each payload. Fixes: 29892/clusterfuzz-testcase-minimized-ffmpeg_BSF_H264_REDUNDANT_PPS_fuzzer-6310830956216320 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Tested-by: Michael Niedermayer <michael@niedermayer.cc>
Diffstat (limited to 'libavcodec/cbs_sei_syntax_template.c')
-rw-r--r--libavcodec/cbs_sei_syntax_template.c17
1 files changed, 16 insertions, 1 deletions
diff --git a/libavcodec/cbs_sei_syntax_template.c b/libavcodec/cbs_sei_syntax_template.c
index 9114e61ff6..0ef7b42ed9 100644
--- a/libavcodec/cbs_sei_syntax_template.c
+++ b/libavcodec/cbs_sei_syntax_template.c
@@ -238,6 +238,7 @@ static int FUNC(message_list)(CodedBitstreamContext *ctx, RWContext *rw,
uint32_t payload_type = 0;
uint32_t payload_size = 0;
uint32_t tmp;
+ GetBitContext payload_gbc;
while (show_bits(rw, 8) == 0xff) {
fixed(8, ff_byte, 0xff);
@@ -253,13 +254,27 @@ static int FUNC(message_list)(CodedBitstreamContext *ctx, RWContext *rw,
xu(8, last_payload_size_byte, tmp, 0, 254, 0);
payload_size += tmp;
+ // There must be space remaining for both the payload and
+ // the trailing bits on the SEI NAL unit.
+ if (payload_size + 1 > get_bits_left(rw) / 8) {
+ av_log(ctx->log_ctx, AV_LOG_ERROR,
+ "Invalid SEI message: payload_size too large "
+ "(%"PRIu32" bytes).\n", payload_size);
+ return AVERROR_INVALIDDATA;
+ }
+ CHECK(init_get_bits(&payload_gbc, rw->buffer,
+ get_bits_count(rw) + 8 * payload_size));
+ skip_bits_long(&payload_gbc, get_bits_count(rw));
+
CHECK(ff_cbs_sei_list_add(current));
message = &current->messages[k];
message->payload_type = payload_type;
message->payload_size = payload_size;
- CHECK(FUNC(message)(ctx, rw, message));
+ CHECK(FUNC(message)(ctx, &payload_gbc, message));
+
+ skip_bits_long(rw, 8 * payload_size);
if (!cbs_h2645_read_more_rbsp_data(rw))
break;
View Lorry Controller Status