diff mbox series

[FFmpeg-devel] avcodec/cbs_h266_syntax_template: check aps_adaptation_parameter_set_id

Message ID 20240127031332.17970-1-michael@niedermayer.cc
State Accepted
Commit cc774cd96249e95b4ee4989c516881f0ad07e5f9
Headers show
Series [FFmpeg-devel] avcodec/cbs_h266_syntax_template: check aps_adaptation_parameter_set_id | expand

Checks

Context Check Description
yinshiyou/make_loongarch64 success Make finished
yinshiyou/make_fate_loongarch64 success Make fate finished
andriy/make_x86 success Make finished
andriy/make_fate_x86 success Make fate finished

Commit Message

Michael Niedermayer Jan. 27, 2024, 3:13 a.m. UTC 
From: James Almer <jamrial@gmail.com>

"When aps_params_type is equal to ALF_APS or SCALING_APS, the value of aps_adaptation_parameter_set_id shall be
in the range of 0 to 7, inclusive.
When aps_params_type is equal to LMCS_APS, the value of aps_adaptation_parameter_set_id shall be in the range of 0
to 3, inclusive."

Fixes: out of array accesses
Fixes: 65932/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VVC_fuzzer-4563412340244480

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavcodec/cbs_h266_syntax_template.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

Comments

Nuo Mi Feb. 3, 2024, 3:59 p.m. UTC | #1 
On Sat, Jan 27, 2024 at 11:13 AM Michael Niedermayer <michael@niedermayer.cc>
wrote:

> From: James Almer <jamrial@gmail.com>
>
> "When aps_params_type is equal to ALF_APS or SCALING_APS, the value of
> aps_adaptation_parameter_set_id shall be
> in the range of 0 to 7, inclusive.
> When aps_params_type is equal to LMCS_APS, the value of
> aps_adaptation_parameter_set_id shall be in the range of 0
> to 3, inclusive."
>
> Fixes: out of array accesses
> Fixes:
> 65932/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VVC_fuzzer-4563412340244480
>
> Found-by: continuous fuzzing process
> https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> Signed-off-by
> <https://github.com/google/oss-fuzz/tree/master/projects/ffmpegSigned-off-by>:
> Michael Niedermayer <michael@niedermayer.cc>
> ---
>  libavcodec/cbs_h266_syntax_template.c | 8 +++++++-
>  1 file changed, 7 insertions(+), 1 deletion(-)
>
> diff --git a/libavcodec/cbs_h266_syntax_template.c
> b/libavcodec/cbs_h266_syntax_template.c
> index 9e479c9c314..21da8195556 100644
> --- a/libavcodec/cbs_h266_syntax_template.c
> +++ b/libavcodec/cbs_h266_syntax_template.c
> @@ -2457,6 +2457,7 @@ static int
> FUNC(scaling_list_data)(CodedBitstreamContext *ctx, RWContext *rw,
>  static int FUNC(aps)(CodedBitstreamContext *ctx, RWContext *rw,
>                       H266RawAPS *current, int prefix)
>  {
> +    int aps_id_max = MAX_UINT_BITS(5);
>      int err;
>
>      if (prefix)
> @@ -2469,7 +2470,12 @@ static int FUNC(aps)(CodedBitstreamContext *ctx,
> RWContext *rw,
>                                         : VVC_SUFFIX_APS_NUT));
>
>      ub(3, aps_params_type);
> -    ub(5, aps_adaptation_parameter_set_id);
> +    if (current->aps_params_type == VVC_ASP_TYPE_ALF ||
> +        current->aps_params_type == VVC_ASP_TYPE_SCALING)
> +        aps_id_max = 7;
> +    else if (current->aps_params_type == VVC_ASP_TYPE_LMCS)
> +        aps_id_max = 3;
> +    u(5, aps_adaptation_parameter_set_id, 0, aps_id_max);
>      flag(aps_chroma_present_flag);
>      if (current->aps_params_type == VVC_ASP_TYPE_ALF)
>          CHECK(FUNC(alf_data)(ctx, rw, current));
> --

applied,
thanks, James and Michael

>
> 2.17.1
>
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel@ffmpeg.org
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>
> To unsubscribe, visit link above, or email
> ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
>
diff mbox series

Patch

diff --git a/libavcodec/cbs_h266_syntax_template.c b/libavcodec/cbs_h266_syntax_template.c
index 9e479c9c314..21da8195556 100644
--- a/libavcodec/cbs_h266_syntax_template.c
+++ b/libavcodec/cbs_h266_syntax_template.c
@@ -2457,6 +2457,7 @@  static int FUNC(scaling_list_data)(CodedBitstreamContext *ctx, RWContext *rw,
 static int FUNC(aps)(CodedBitstreamContext *ctx, RWContext *rw,
                      H266RawAPS *current, int prefix)
 {
+    int aps_id_max = MAX_UINT_BITS(5);
     int err;
 
     if (prefix)
@@ -2469,7 +2470,12 @@  static int FUNC(aps)(CodedBitstreamContext *ctx, RWContext *rw,
                                        : VVC_SUFFIX_APS_NUT));
 
     ub(3, aps_params_type);
-    ub(5, aps_adaptation_parameter_set_id);
+    if (current->aps_params_type == VVC_ASP_TYPE_ALF ||
+        current->aps_params_type == VVC_ASP_TYPE_SCALING)
+        aps_id_max = 7;
+    else if (current->aps_params_type == VVC_ASP_TYPE_LMCS)
+        aps_id_max = 3;
+    u(5, aps_adaptation_parameter_set_id, 0, aps_id_max);
     flag(aps_chroma_present_flag);
     if (current->aps_params_type == VVC_ASP_TYPE_ALF)
         CHECK(FUNC(alf_data)(ctx, rw, current));