diff mbox

[FFmpeg-devel] avcodec/hevcdec: Check for overlapping slices

Message ID 20181124015134.11375-1-michael@niedermayer.cc
State Accepted
Commit 1a89ae1df8585134b9524f736b71cee98de7895a
Headers show

Commit Message

Michael Niedermayer Nov. 24, 2018, 1:51 a.m. UTC 
Fixes: Timeout
Fixes: 10108/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-6222384351674368

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/hevcdec.c | 4 ++++
 libavcodec/hevcdec.h | 1 +
 2 files changed, 5 insertions(+)

Comments

Michael Niedermayer Dec. 1, 2018, 2:02 a.m. UTC | #1 
On Sat, Nov 24, 2018 at 02:51:34AM +0100, Michael Niedermayer wrote:
> Fixes: Timeout
> Fixes: 10108/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-6222384351674368
> 
> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavcodec/hevcdec.c | 4 ++++
>  libavcodec/hevcdec.h | 1 +
>  2 files changed, 5 insertions(+)

will apply

[...]
diff mbox

Patch

diff --git a/libavcodec/hevcdec.c b/libavcodec/hevcdec.c
index a3b5c8cb71..10bf2563c0 100644
--- a/libavcodec/hevcdec.c
+++ b/libavcodec/hevcdec.c
@@ -2942,6 +2942,7 @@  static int decode_nal_unit(HEVCContext *s, const H2645NAL *nal)
                     s->max_ra = INT_MIN;
             }
 
+            s->overlap ++;
             ret = hevc_frame_start(s);
             if (ret < 0)
                 return ret;
@@ -3020,6 +3021,7 @@  static int decode_nal_units(HEVCContext *s, const uint8_t *buf, int length)
     s->ref = NULL;
     s->last_eos = s->eos;
     s->eos = 0;
+    s->overlap = 0;
 
     /* split the input packet into NAL units, so we know the upper bound on the
      * number of slices in the frame */
@@ -3054,6 +3056,8 @@  static int decode_nal_units(HEVCContext *s, const uint8_t *buf, int length)
             continue;
 
         ret = decode_nal_unit(s, nal);
+        if (ret >= 0 && s->overlap > 2)
+            ret = AVERROR_INVALIDDATA;
         if (ret < 0) {
             av_log(s->avctx, AV_LOG_WARNING,
                    "Error parsing NAL unit #%d.\n", i);
diff --git a/libavcodec/hevcdec.h b/libavcodec/hevcdec.h
index dd951aae06..b45969b7e2 100644
--- a/libavcodec/hevcdec.h
+++ b/libavcodec/hevcdec.h
@@ -430,6 +430,7 @@  typedef struct HEVCContext {
     int max_ra;
     int bs_width;
     int bs_height;
+    int overlap;
 
     int is_decoded;
     int no_rasl_output_flag;