From patchwork Wed Jun 5 02:18:54 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andreas Rheinhardt X-Patchwork-Id: 13415 Return-Path: X-Original-To: patchwork@ffaux-bg.ffmpeg.org Delivered-To: patchwork@ffaux-bg.ffmpeg.org Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by ffaux.localdomain (Postfix) with ESMTP id EC8D344989C for ; Wed, 5 Jun 2019 05:20:00 +0300 (EEST) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id D21DF6803EF; Wed, 5 Jun 2019 05:20:00 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from mail-wm1-f65.google.com (mail-wm1-f65.google.com [209.85.128.65]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 9028E680160 for ; Wed, 5 Jun 2019 05:19:54 +0300 (EEST) Received: by mail-wm1-f65.google.com with SMTP id v22so632294wml.1 for ; Tue, 04 Jun 2019 19:19:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=JWCGA0BvGtq4Kg+jnr7Pc+glNnClxHCj6+6Fpb1hl9I=; b=GZ7qqSV1998L9LqQCWZaNLSatOcjnu8Vvd8hQyk0DvKZt3AncjLqGuqDycx/YCdbeD oFzAF2e8dT3NC19dZLsPxvCom2BDmMBJxkP3hUkx5yi++5H7uORfWzctHu4xdHUcr/TL A1v1zY9m+w31e9Agj7knGBXJqJsY2ygbphzF4/LZpcPE0E7c3xzCNHxhAZNmQvTEcXnp zmL9b+lGWGO84VZLYoG04V6XNSjWKlXxogqbweAwUgrnFNFschYsduZu4rD+8T4WIj5k mbxMOG3Gb6i1k1/obB2RFDuEpi5UUZ5qgwcTBrnjl7t+bxMN4E68CZDKdoyGm1lXooB7 Aikg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=JWCGA0BvGtq4Kg+jnr7Pc+glNnClxHCj6+6Fpb1hl9I=; b=q/H4jl5gxtYDEWJ8VjGdGgcPbiHglOcJBvG1OEl2f8VqcGZDPupGN/VEn7CSOCw2Wm +/fCa+/cHzkzTYHvp7/5N1MK/QyZgHYRoXA25bG2e+bUL+6Vz6vKs54C7ggCHn8+Cjc2 wxC/FuxpY/JDkmFPHUTvSvUlmwCdOJ08MEwvWxB6hh6gguyi/xt2MW9A6f/3YYIIoQaA slBQ5uQ11lPcExD+K9Wvncjrqud8+pKGHdjXTlLnsh5WHHQs1Ezv1xbtI6NfLqeVF2hU 5WNkVB006PLuGNd1MnJO+7OfWe0pwyOcTVBMRbb/Fr5Vt6OWVlkG/nTvGDbg3YdwW8IP tsYg== X-Gm-Message-State: APjAAAVVW87iGnU9jVutUlV3vakF+hrBUmUaJQMP1XowvQ7nTlMMxhqe 1+xlycQ4fgoA0e46Yt+RpXW3XWSl X-Google-Smtp-Source: APXvYqyDkspfi+fUXgGw4md7VKI3Q7SDF7E3UXt2Euyiyk8f5npLeG5LK8PfQA/0hQDBsLsYeXMVXg== X-Received: by 2002:a1c:4054:: with SMTP id n81mr20572540wma.78.1559701193707; Tue, 04 Jun 2019 19:19:53 -0700 (PDT) Received: from localhost.localdomain (ipbcc063db.dynamic.kabel-deutschland.de. [188.192.99.219]) by smtp.gmail.com with ESMTPSA id g8sm6090181wmf.17.2019.06.04.19.19.52 (version=TLS1_3 cipher=AEAD-AES256-GCM-SHA384 bits=256/256); Tue, 04 Jun 2019 19:19:53 -0700 (PDT) From: Andreas Rheinhardt To: ffmpeg-devel@ffmpeg.org Date: Wed, 5 Jun 2019 04:18:54 +0200 Message-Id: <20190605021854.26095-1-andreas.rheinhardt@gmail.com> X-Mailer: git-send-email 2.21.0 MIME-Version: 1.0 Subject: [FFmpeg-devel] [PATCH] cbs_h2645: Fix infinite loop in more_rbsp_data X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Cc: Andreas Rheinhardt Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" cbs_h2645_read_more_rbsp_data does not handle malformed input very well: 1. If there were <= 8 bits left in the bitreader, these bits were read via show_bits. But show_bits requires the number of bits to be read to be > 0 (internally it shifts by 32 - number of bits to be read which is undefined behaviour if said number is zero; there is also an assert for this, but it is only an av_assert2). Furthermore, in this case a shift by -1 was performed which is of course undefined behaviour, too. 2. If there were > 0 and <= 8 bits left and all of them were zero (this can only happen for defective input), it was reported that there was further RBSP data. This can lead to an infinite loop in H.265's cbs_h265_read_extension_data corresponding to the [vsp]ps_extension_data_flag syntax elements. If the relevant flag indicates the (potential) occurence of these syntax elements, while all bits after this flag are zero, cbs_h2645_read_more_rbsp_data always returns 1 on x86. Given that a checked bitstream reader is used, we are also not "saved" by an overflow in the bitstream reader's index. Signed-off-by: Andreas Rheinhardt --- libavcodec/cbs_h2645.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavcodec/cbs_h2645.c b/libavcodec/cbs_h2645.c index 0456937710..becb63a290 100644 --- a/libavcodec/cbs_h2645.c +++ b/libavcodec/cbs_h2645.c @@ -328,9 +328,11 @@ static int cbs_h2645_read_more_rbsp_data(GetBitContext *gbc) int bits_left = get_bits_left(gbc); if (bits_left > 8) return 1; - if (show_bits(gbc, bits_left) == 1 << (bits_left - 1)) + if (bits_left == 0) return 0; - return 1; + if (show_bits(gbc, bits_left) & MAX_UINT_BITS(bits_left - 1)) + return 1; + return 0; } #define more_rbsp_data(var) ((var) = cbs_h2645_read_more_rbsp_data(rw))