@@ -2405,6 +2405,10 @@ static int hls_decode_entry(AVCodecContext *avctxt, void *isFilterThread)
x_ctb = (ctb_addr_rs % ((s->ps.sps->width + ctb_size - 1) >> s->ps.sps->log2_ctb_size)) << s->ps.sps->log2_ctb_size;
y_ctb = (ctb_addr_rs / ((s->ps.sps->width + ctb_size - 1) >> s->ps.sps->log2_ctb_size)) << s->ps.sps->log2_ctb_size;
+
+
+ if (s->tab_slice_address[ctb_addr_rs] >= 0)
+ s->overlap ++;
hls_decode_neighbour(s, x_ctb, y_ctb, ctb_addr_ts);
ret = ff_hevc_cabac_init(s, ctb_addr_ts);
@@ -2427,6 +2431,7 @@ static int hls_decode_entry(AVCodecContext *avctxt, void *isFilterThread)
ctb_addr_ts++;
+ s->overlap++;
ff_hevc_save_states(s, ctb_addr_ts);
ff_hevc_hls_filters(s, x_ctb, y_ctb, ctb_size);
}
@@ -3020,6 +3025,7 @@ static int decode_nal_units(HEVCContext *s, const uint8_t *buf, int length)
s->ref = NULL;
s->last_eos = s->eos;
s->eos = 0;
+ s->overlap = 0;
/* split the input packet into NAL units, so we know the upper bound on the
* number of slices in the frame */
@@ -3054,6 +3060,8 @@ static int decode_nal_units(HEVCContext *s, const uint8_t *buf, int length)
continue;
ret = decode_nal_unit(s, nal);
+ if (s->ps.sps && ret >= 0 && s->overlap > 2*s->ps.sps->ctb_size)
+ ret = AVERROR_INVALIDDATA;
if (ret < 0) {
av_log(s->avctx, AV_LOG_WARNING,
"Error parsing NAL unit #%d.\n", i);
@@ -430,6 +430,7 @@ typedef struct HEVCContext {
int max_ra;
int bs_width;
int bs_height;
+ int overlap;
int is_decoded;
int no_rasl_output_flag;
Fixes: Timeout Fixes: 10108/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-6222384351674368 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> --- libavcodec/hevcdec.c | 8 ++++++++ libavcodec/hevcdec.h | 1 + 2 files changed, 9 insertions(+)