From patchwork Fri Feb  9 11:16:30 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Nuo Mi <nuomi2021@gmail.com>
X-Patchwork-Id: 46130
Delivered-To: ffmpegpatchwork2@gmail.com
Received: by 2002:a05:6a21:a586:b0:19e:8a94:b663 with SMTP id gd6csp858110pzc;
        Fri, 9 Feb 2024 03:17:06 -0800 (PST)
X-Forwarded-Encrypted: i=2;
 AJvYcCXYB2i/jTfBFnnBSa78vVh7uJa3AR9zVqmL2201jB/xFzHHtjKU4Pj1UCYRPcLlFAgdlCeblAJg+vEUz3QhN+O7d4OVLE4RejAJqA==
X-Google-Smtp-Source: 
 AGHT+IG08ntEEjF1CCllUPPAHW18c6OslbB6qZ0zBM2VKiACOLU4gMhmTrZ692f9hHF73YSSNVUN
X-Received: by 2002:a17:906:301b:b0:a38:54ab:992b with SMTP id
 27-20020a170906301b00b00a3854ab992bmr831850ejz.3.1707477425805;
        Fri, 09 Feb 2024 03:17:05 -0800 (PST)
X-Forwarded-Encrypted: i=2;
 AJvYcCWPCj/bTAzXj8zRsI8ktpZrX2OwESo9YTE+CuH46vL4Zarpy1gfqkmfkmhMQzXulwqNoRzKfzKi45k0sDm00ZIRgSrPql/8w3Ue6v9wx+uoSzqpl6Hs11hy8qQ/vPjiHS1J8jHMP8gJIBMNyt8M99fed4ZxMzR1CsuOY5sz/7/rcME8vVUm+qnTZRtMYyfFVg1mPvrzxpk9ZImcJrcyESy1KS/J6c1r/At5hIMhLmTgn6o7qQWEz3GL9L5i42aC/aJMHa1oGcPI2hHEpHlvvPyfIWMH95IvcrrZBlfUGinJARM7x3875cwQx0danOBsx2tMof/tzx8qPvVluIi9y8MQL8gxxeGflK30tluqvz6zlx6ciNGuHpXy1KEWC6tU1iNHFCA1AH366TiC4V4fhDTtwNNet0koCHzQc4HbNMMIdzUXnhjU9Nv41zAH3BvNOOCUdtt9lBUuidtsn6yezW2bFOP7Wy5npP8x1jLnNhzxqTJoJ7Ku3MGufXoZ7yPHipo+RZfZtiEF7a6gUMYkgKjoi0is8C7pkLGNkNWTn2PrRBvBxPJz0OKcWUV5wgzObZFzsse9/Yiolw/HseGYwYevU5kcc702ydoLjRY6UYEhKsceel7crXS3OLWsE4HGccr6ixY69fqOr97AWV+MOFyk0VBwgCFoPHeR0Ka7ZsgZinF3smSmt9Yl0acuS2fm4ilw1dWV9w5DRMYXdQOx6td0Srri0q3SyhP8F6m9UOPwbTN09/2hKpBb4536nHDh76c4itLg8n/mM+6Qx171IuSiqd2e0M1gpFSlNm+vVStEPzpuKz+HyoXgd/5uvQBU/vuKeUO+t2hkYPc8owk+pZJGKy7B7oTyMdEQezHAFdP2UTXS0kh7myz/E15PjtGTxNn+1NByc93QpeRR2s93lq/EnGbF9sCi6RK59hbz2/t0tEee2fDcTBYFV9kdgZwIXrBQU1
 tlBAjgc5U7qeYPwh2PL7PZwqo29iEUnRxz+zHEB/+Pr1+gEgMe6PnHBWqxrIHBSO+i4XYu3jovSzk3JLnDHwfOKWyLeMCrH+kwot9CZo15igl/ASods/zuOOakmk9hODrTdLsiEbYZkFw2mTi4Lwuwu8YJtODGDbvIYlM4kgXxNvC8h+JXhZogRDMQv5NwjVW2QH9P3n8i6uzRIvV61gw8MUvb0HmIM1vBhKOEnIc/arKD3mJ79oyayrdIXgHTOVw4iQaBQeNzYpbJjqd7o5xPLxCbjHGWWcQ7e6IIb+g6zG9Cj20e383Av7mhJ+cwYkNXZF8jViSY+hTA8awbV6gOnTrSxGd0m4cYp2joY1j9pupbZpRw9xQQvrHuc7evIAfq0Io6lVjEpAgEEItta9b8B5bEqq5LSo0PZUuZ+oI6/aFOiBccebC3ILt0el4aYOYfZneYPnVLfQAOavBGNwDUKIKiEt95dYQefwERgZpQSrMuGzE16YgVgB546NC4hcul0XDqn4fYOwkHbrdLc8zy0seehqFgF3NpmrwKRw4g5rPNahZ10ECAO8D01I1zvHjLUhj3iGEGC1TJ3JkCEygg+xhKK/s=
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100])
        by mx.google.com with ESMTP id
 dv13-20020a170906b80d00b00a381fa665d4si684607ejb.863.2024.02.09.03.17.05;
        Fri, 09 Feb 2024 03:17:05 -0800 (PST)
Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100;
Authentication-Results: mx.google.com;
       dkim=neutral (body hash did not verify) header.i=@outlook.com
 header.s=selector1 header.b=vOWYHL9u;
       arc=fail (body hash mismatch);
       spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender)
 smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org;
       dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 3465268CB01;
	Fri,  9 Feb 2024 13:17:02 +0200 (EET)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from APC01-PSA-obe.outbound.protection.outlook.com
 (mail-psaapc01olkn2022.outbound.protection.outlook.com [40.92.52.22])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 3229A68CB01
 for <ffmpeg-devel@ffmpeg.org>; Fri,  9 Feb 2024 13:16:55 +0200 (EET)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=WT4zbq0MlEubw89n3DbCo6yVO3BAB8PrVduWRKk6b5fJ7P89dtPfD6OYgW5h6rWQRAi4D7wyGx+MMn6hK96iJRNbmgVYgoYdnmgwISO7MhRQ4RUfB2n+8PFDubqSyN+0z8ozrnFlxQKdj8tDqiKYXXdea/AktDO1M64W5U/SjRFrRKeYyUFEjiy5YJl9YKnjZbzfa0KHVuUnytAnURWFunOhgTdLSqCG0OMxRBxDjEWqJiQMdmVs3yYTIQjywFXfu8LrFmFqCFsqsneD3a4gONrjk0UQc91jPQZqUCyAtiXvZH5sDFh+B4xrFi8KRdJIs/kEgYMY359SKjBO9RbBFQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
 bh=ppqsQe+p3ZwjzLsfQJPQtcqcFHk2eL9E0kMdpN+VQ/w=;
 b=Eyu9eqLJvXxQIQ3xlCMWa5II+xd1mqyEaEPVRRZJGK2zOJf4zM1ywpz9RDDmQ4507sUX78Oe+IotOKyAf70Y2i7x109O71dAMQtg6pzjiKrxnGs1JlSmmcREbeyu3U8IfnQ21pEBoY1rhZnEhDcczM7TP8ntnLK9IYvrFkwPbCNUv3hRqlHGJN8y095LeSW3L5GaYXoQAi+g1lUIl9R05QtfgDq4uUil4ryohSMEk1i8mlF641GXww9SCv4rpWjVPifBSi86Qq3e8o7XaQlQ4EP+bu2gITrr4olkt8i/7NOK+zl+6MCkgFzt6ARUYVwk/z8JqsuOkM6VhZpSphA7zQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none;
 dkim=none; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=outlook.com;
 s=selector1;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=ppqsQe+p3ZwjzLsfQJPQtcqcFHk2eL9E0kMdpN+VQ/w=;
 b=vOWYHL9u0dymzuAqSw9a5OzaflpfZhIO8iMAL47UailhoPtlxJhH3xMb8g6XqmDE5IKqjR+8ueJ/CMLFWWoRbmW7xsaKzsRgkfEepKCsuzQuTbLxeel6mz85myAtFe/nXOPkyEgz46krmCE0+jwJZwdSaLhArI2SB0JmV4CHc35J2Uxvd9vC7yYPmT8WaHta+fgxSReEJ9u5XA22QjrfjG9f4aCYoWjtuQ8KGrTHjfPCD89CGWfYtMz+O7lNB/itqL4K59Cr7iFx4pR1i+8ZRyHK+DqSfTiJYlIvRehqy5SF8Ds8b/6K9G0EyTUHUohRH/buicQVQS8LSQh93Vz8gA==
Received: from KL1PR06MB6426.apcprd06.prod.outlook.com (2603:1096:820:f7::5)
 by KL1PR06MB6944.apcprd06.prod.outlook.com (2603:1096:820:125::7) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7270.26; Fri, 9 Feb
 2024 11:16:50 +0000
Received: from KL1PR06MB6426.apcprd06.prod.outlook.com
 ([fe80::3e72:c290:f9b2:7be4]) by KL1PR06MB6426.apcprd06.prod.outlook.com
 ([fe80::3e72:c290:f9b2:7be4%4]) with mapi id 15.20.7249.039; Fri, 9 Feb 2024
 11:16:50 +0000
From: Nuo Mi <nuomi2021@gmail.com>
To: ffmpeg-devel@ffmpeg.org
Date: Fri,  9 Feb 2024 19:16:30 +0800
Message-ID: 
 <KL1PR06MB6426E9B630E0F636B3E10F98AA4B2@KL1PR06MB6426.apcprd06.prod.outlook.com>
X-Mailer: git-send-email 2.25.1
X-TMN: [j4q+50HckBdKbwtCoKdA/lHYXHebXemD]
X-ClientProxiedBy: TY2PR06CA0017.apcprd06.prod.outlook.com
 (2603:1096:404:42::29) To KL1PR06MB6426.apcprd06.prod.outlook.com
 (2603:1096:820:f7::5)
X-Microsoft-Original-Message-ID: <20240209111631.6026-1-nuomi2021@gmail.com>
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 2
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: KL1PR06MB6426:EE_|KL1PR06MB6944:EE_
X-MS-Office365-Filtering-Correlation-Id: 4c804e14-1514-483f-8257-08dc29609c3b
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: 
 ID5mQC4c0Uq5zX0Kwe1tTYTgx2ezSs7HGu2z0Q0y1hSCjuVrGAitIqxD32SsH4ytl3fCvft63ZW0unbYtZXsMQBT/yCepKYeWTlR60e31nccVhHXWWaJcBxJbVyaU20EhnOlJf0BrA4KmteKxEoeOhcDVs8eXGdt1Bl17Bb2twm6mzLnpgcsglywMuoenZ/PAgF1RotviyEa0kzQEGh7Phybhga1UM62Lnbdu84i3Pt1qwg7mSC+qD3mfmN7kpZ5wC0n2rhyqYUNB1yHmu77KtEmmkG1Ppv/UNmdzwDJ0uIZvnTf46YvojosLKLzDvKo8eKXmSVvObBIU49NY4jn7goTC+5pRX/+c2R0gg6WIc5LpWPIBsUV2nDDAuNTnnqnoZbkTQJqgOSbzS55nXHkGzJh2H3KkjnHpMPGzkELjq20Rah/Ib6xXuBpLWsHX6gumD+0UQq779I9QCN2UlFYzRTem61vvU7hj+f6cRYadSHvLFrhrVMlbPcMhNM4VRjAbeyNK2TVODvsnWNWwgHAF4pfc1D5GPjAau/STquhNAehlqoe4/L90+iREhs0EOF5KMhTA1/L77UIgvvMPFuhEb3re6ScTm54aoEuSHLuGkKDbw0eqeVHogj2FzqifcBb
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: 
 t3wtvOJaRizKruUxyZZjnvIlFR3MeQfcR78VI1F+t5Gs7Qr6ktau7gl2yGyDh95Gfzw3QPoNp9hhnNICrwjT6W/73YTD6Fnj5MBLknaD9Dwu1rBsrlJrT/tUURPBiAq2fBRVYxsY2EyBg/F+HUGt9mDyzC9yTHi/odGvDB9nh90k+kUPU5cLu6qqJszrNobKA4bllf6YleaTh8uDXv/asfvJ6YZByvEpSnhgCOrGQO2AdofM7ojv9FDuIlXN+1fxcWppPhy4EmeQKWdAWP5/rCxIFpivMMZymyD1n5+eaDvq5+3L1IJJES0vPszmZsyLz3M3qAeAE1KjOXKxuxjmpPDWqdg/EP6W0l1B5OSzU/foQg98bApC6d+bL6m7eJoRZjo/fjoiHv3V4qwcIPbyo9kF3g8jpmu4Zs956u5FIutLHUJ2wXn2eOjqrTSbvPguN/9OwhfnlP/aqTe4lMtlhqlDeh8RJqHMNrJXL123O08grSuizigqbHLinT4fkT9I5EWC2PNu6WQkHrgrG9H+XZ+qXOaxup80JwlIIlS1o6ruBImgUfidX2OGKAvyPplem4Is/nurU+RNzTjpZNPrMrZPpwdf8iuiNEuR1TUAw7ZZ1mxaImsu1bMrkYFhO2zLY4uZ2Sd/X2FFNKBNVmYHqHbsFac1Sl1MFppeJP46BWNskZl5OdzLXu/JwPgfGFSE6qcuWnTlL8fXiMRbcWV3i0iq1ElvB2cOY2MY1RuCTpuu2W1V6qGl0lXDdNhcO4CKXDybS/eAbQfNi93m2JSvrWqQxWJjbgQHIgvza2lD1Vaf4Xg47eqvQFtwKA22WqjneZyja1AtLrednIAsGqFgvAEaBdux+eVwc2tYmvsQwPt8dwr/6zCUUIDri3vAQB1AhQhMUzTakO58xLAIYBFrwlTGLwSri7a5o5oA63Ugx9lRSolKwsXHGC1nDoAjwbOMIwxT2bJnbPcYaoQiOBcpo7I5+0KdxIdDxtMEkNrOOu8y0DoOjoB7gUYLHXJbQVkLLFDHAzGHfCRtZHg9z25mXNHyTLBKrUjDaEHMp2Gf53ybhMCv32k33hNNTUuolSy4UheX3F7AvcIeIYwcL3meW4w9cM1US7le9ffzUj1khu5sfJj/apTQSrqH69c4Kz4JwjLAjifH1KIkbL2wM1/lruoOEbJ+ys5OfwMZ5JsiIPN2sF/P4Uv6oIvQ3hAOKjN5/XwbdBIkPDWfX1t+msyOKiynazfPeAhRhAT39EylGsGliWF6WTuWsl9SLKjtUqobBFcAAL+rPmcl88Ksym+bMQ==
X-OriginatorOrg: outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 
 4c804e14-1514-483f-8257-08dc29609c3b
X-MS-Exchange-CrossTenant-AuthSource: KL1PR06MB6426.apcprd06.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 09 Feb 2024 11:16:49.8971 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 
 00000000-0000-0000-0000-000000000000
X-MS-Exchange-Transport-CrossTenantHeadersStamped: KL1PR06MB6944
Subject: [FFmpeg-devel] [PATCH v2 1/2] avcodec/vvc_mp4toannexb: check bytes
 left for nalu_len
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Cc: Michael Niedermayer <michael@niedermayer.cc>,
 Nuo Mi <nuomi2021@gmail.com>,
 Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>
X-TUID: v/NIYtwWBexQ

Fixes: fuzzer timeout
Fixes: 65253/clusterfuzz-testcase-minimized-ffmpeg_BSF_VVC_MP4TOANNEXB_fuzzer-4972412487467008

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
---
 libavcodec/bsf/vvc_mp4toannexb.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/libavcodec/bsf/vvc_mp4toannexb.c b/libavcodec/bsf/vvc_mp4toannexb.c
index 25c3726918..36bdae8f49 100644
--- a/libavcodec/bsf/vvc_mp4toannexb.c
+++ b/libavcodec/bsf/vvc_mp4toannexb.c
@@ -155,10 +155,11 @@ static int vvc_extradata_to_annexb(AVBSFContext *ctx)
         }
 
         for (j = 0; j < cnt; j++) {
-            int nalu_len = bytestream2_get_be16(&gb);
+            const int nalu_len = bytestream2_get_be16(&gb);
 
-            if (4 + AV_INPUT_BUFFER_PADDING_SIZE + nalu_len >
-                SIZE_MAX - new_extradata_size) {
+            if (!nalu_len ||
+                nalu_len > bytestream2_get_bytes_left(&gb) ||
+                4 + AV_INPUT_BUFFER_PADDING_SIZE + nalu_len > SIZE_MAX - new_extradata_size) {
                 ret = AVERROR_INVALIDDATA;
                 goto fail;
             }