From patchwork Tue Aug  6 21:30:03 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Michael Niedermayer <michael@niedermayer.cc>
X-Patchwork-Id: 14275
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
X-Original-To: patchwork@ffaux-bg.ffmpeg.org
Delivered-To: patchwork@ffaux-bg.ffmpeg.org
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100])
	by ffaux.localdomain (Postfix) with ESMTP id 0594F44A3BB
	for <patchwork@ffaux-bg.ffmpeg.org>;
	Wed,  7 Aug 2019 00:31:53 +0300 (EEST)
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id D6E0768A761;
	Wed,  7 Aug 2019 00:31:52 +0300 (EEST)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from vie01a-dmta-pe07-2.mx.upcmail.net
	(vie01a-dmta-pe07-2.mx.upcmail.net [84.116.36.18])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 246306883C0
	for <ffmpeg-devel@ffmpeg.org>; Wed,  7 Aug 2019 00:31:46 +0300 (EEST)
Received: from [172.31.216.235]
	(helo=vie01a-pemc-psmtp-pe12.mail.upcmail.net)
	by vie01a-dmta-pe07.mx.upcmail.net with esmtp (Exim 4.92)
	(envelope-from <michael@niedermayer.cc>) id 1hv73Z-0003JG-2d
	for ffmpeg-devel@ffmpeg.org; Tue, 06 Aug 2019 23:31:45 +0200
Received: from localhost ([213.47.41.20])
	by vie01a-pemc-psmtp-pe12.mail.upcmail.net with ESMTP
	id v72bhvGRE5D5Nv72bhUQKI; Tue, 06 Aug 2019 23:30:45 +0200
X-Env-Mailfrom: michael@niedermayer.cc
X-Env-Rcptto: ffmpeg-devel@ffmpeg.org
X-SourceIP: 213.47.41.20
X-CNFS-Analysis: v=2.3 cv=bu8y+3Si c=1 sm=1 tr=0
	a=I1eytVlZLDX1BM2VTtTtSw==:117 a=I1eytVlZLDX1BM2VTtTtSw==:17
	a=jpOVt7BSZ2e4Z31A5e1TngXxSK0=:19 a=MKtGQD3n3ToA:10 a=1oJP67jkp3AA:10
	a=GEAsPZ9sns4A:10 a=ZZnuYtJkoWoA:10 a=nZOtpAppAAAA:20
	a=75tIjGSi0y3UHiUaLRQA:9 a=xDEiit6HqAYS3wUx:21 a=0VOR5cYO35-_9YJV:21
	a=1fhp2MxaeJtTNGEnv6mo:22 a=Z5ABNNGmrOfJ6cZ5bIyy:22
	a=UDnyf2zBuKT2w-IlGP_r:22
From: Michael Niedermayer <michael@niedermayer.cc>
To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Date: Tue,  6 Aug 2019 23:30:03 +0200
Message-Id: <20190806213006.25210-2-michael@niedermayer.cc>
X-Mailer: git-send-email 2.22.0
In-Reply-To: <20190806213006.25210-1-michael@niedermayer.cc>
References: <20190806213006.25210-1-michael@niedermayer.cc>
MIME-Version: 1.0
X-CMAE-Envelope: 
 MS4wfFJcqy+/Z+CT1M0titmjOimtsK0rr2xoy3CRA3ez3xAQrdmf3p+ONyQr1cOOzI3DTY5sQ5pywns7usn5PsrUUDBzJmh8urF5fmb9sfAkPEUXrcpvrJqS
	CaGsSrx/Ou3EO63prNZjxKg9YHJmIYc+r16LalaowQK3SX5QWG8/eWMX
Subject: [FFmpeg-devel] [PATCH 2/5] [RFC] avcodec/hevcdec: Check for
	overread in hls_decode_entry()
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <http://ffmpeg.org/mailman/options/ffmpeg-devel>,
	<mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <http://ffmpeg.org/pipermail/ffmpeg-devel/>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <http://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
	<mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches
	<ffmpeg-devel@ffmpeg.org>
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>

This checks by adjusting the bytestream end pointer so as to detect
overread without the need of additional code in the innermost loop.
This should be safe as arrays have additional AV_INPUT_BUFFER_PADDING_SIZE
at their end.
This is simple and does not cause a slowdown but it is hackish.
The clean way to check for overread is a counter in the cabac reader.
There may or may not be other ways to infer that overread must occur,
that would require more in depth analysis of the following syntax
elements and their absolute minimum size.

The being a RFC as it is unquestionable not pretty and as i myself
would of course prefer a fast AND pretty solution in case anyone has
ideas ...

Improves: Timeout (190 seconds -> 86 seconds)
Improves: 15702/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-5657764929470464

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/hevcdec.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/libavcodec/hevcdec.c b/libavcodec/hevcdec.c
index f1934975d5..6ba07b959a 100644
--- a/libavcodec/hevcdec.c
+++ b/libavcodec/hevcdec.c
@@ -2434,6 +2434,7 @@ static int hls_decode_entry(AVCodecContext *avctxt, void *isFilterThread)
             s->tab_slice_address[ctb_addr_rs] = -1;
             return ret;
         }
+        s->HEVClc->cc.bytestream_end += 4;
 
         hls_sao_param(s, x_ctb >> s->ps.sps->log2_ctb_size, y_ctb >> s->ps.sps->log2_ctb_size);
 
@@ -2442,6 +2443,8 @@ static int hls_decode_entry(AVCodecContext *avctxt, void *isFilterThread)
         s->filter_slice_edges[ctb_addr_rs]  = s->sh.slice_loop_filter_across_slices_enabled_flag;
 
         more_data = hls_coding_quadtree(s, x_ctb, y_ctb, s->ps.sps->log2_ctb_size, 0);
+        if (s->HEVClc->cc.bytestream >= s->HEVClc->cc.bytestream_end)
+            more_data = AVERROR_INVALIDDATA;
         if (more_data < 0) {
             s->tab_slice_address[ctb_addr_rs] = -1;
             return more_data;