From patchwork Sun Oct 22 03:04:35 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Nuo Mi X-Patchwork-Id: 44309 Delivered-To: ffmpegpatchwork2@gmail.com Received: by 2002:a05:6a20:1b28:b0:15d:8365:d4b8 with SMTP id ch40csp699773pzb; Sat, 21 Oct 2023 20:05:23 -0700 (PDT) X-Google-Smtp-Source: AGHT+IETAnOMjntiZWaRRfVQOQTDx7WbGlmUxx61q5X0/kGFVjKnZnPNVp0DIElb39gOf5naEEk7 X-Received: by 2002:a17:907:5cb:b0:9ae:4eb9:e09b with SMTP id wg11-20020a17090705cb00b009ae4eb9e09bmr4758605ejb.27.1697943923708; Sat, 21 Oct 2023 20:05:23 -0700 (PDT) Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id ce10-20020a170906b24a00b009b916fa3a67si2067923ejb.411.2023.10.21.20.05.23; Sat, 21 Oct 2023 20:05:23 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@outlook.com header.s=selector1 header.b=VmD8F6Je; arc=fail (body hash mismatch); spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 2C6FB68CA72; Sun, 22 Oct 2023 06:05:20 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from APC01-PSA-obe.outbound.protection.outlook.com (mail-psaapc01olkn2066.outbound.protection.outlook.com [40.92.52.66]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 8BF8268CA5B for ; Sun, 22 Oct 2023 06:05:13 +0300 (EEST) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=FYjk+ozhhawqywst10An8nF+abtT39ThtBE8gnssGPxxToqdptq7j77NXxSQJO+hXMEaxDI/rfTi68ufibmQ8gcHKxONoUhgaKTELsyebxkA2BkUmY3hnWIJ+eqb7UOAbQhdXFwFBzHlIqEhCH4I+myG0anKx/15ybEg3gqdD42TGfzKu0Hag7P6UXhRJpv1dq9g3JToLOmyukKVTd51T6GCkYQD8yu+yAdhp6YFLXMqSgsaP0UfeWsvb2BA3m58548DopGI9LyOKbpItiZM+99mnSGp/tpn2pMR6ThPfsrrKlxsn4hf//iWzLSFpLEr7I2TcCDmZX3+L+5UIfqb9w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=oTvaqvEDtI0V6c0/TjJ5I85s15FDkxgfpZ5I3v7zqjY=; b=Nek1QE+Xb1vPcQ2asAIBTBr/d9VDamP1HCnFLeKudRNCJf/Vi1EXST6Or9pFe4cPZN6/PzwtRccuJFw4mZNyjP+gaMvAZvJw/yR84fOsghp+6jfbdN8cQnWOoL/dv3mYJpSy1JztTrzRhTjE5uGYJjJyUkxrzOMRQUV+oYMguvPDaUfzxONljW8Q0tPmAq8etjjI+hvt3M0uBX+YkN/TnOFu7zueIRvGXuE+jWXnPH9l/ig8kzN0F5g7WUOCYhVmyA97dQV+0CEknDYQf711NaR/YJPSkI6aB5Ni/NMIGtOxYiUryB4qn5mSmk9HYxRKCwWj1Y90q8WwQrXdyw7wjQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=outlook.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=oTvaqvEDtI0V6c0/TjJ5I85s15FDkxgfpZ5I3v7zqjY=; b=VmD8F6JeHYlkdthtcKDSUyNVe4Umjp1wBPTvDwlPUSwew3bs508toAFjX+wCc6qT6Fv9p3Z6BOE8EfAvRxwS0EF43/RhN4fJx/geGKOLgQnPoqqke46qse8lcqW6faBEokBb87+Ty4u0+sd7SCsm0EQ//mDQ2Hz2KxF7t7lnXuqkBF1MNOCnz70zOyOa+pP9/V6avO7+6UNqQCDU6o37Ew6ryyXW4KxIpNmlWOING2kQnNLP8zdraYXNdR4v1y4nGskxJ7wX1y/xzGTiNoZY2bvAjWQxlynMUEyNqHGVBj4e6LlfqD8pBF+FbkPD46hHpZXsWer7MHwOs5JpPNcopw== Received: from TYSPR06MB6433.apcprd06.prod.outlook.com (2603:1096:400:47a::6) by SEZPR06MB7059.apcprd06.prod.outlook.com (2603:1096:101:1ef::6) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6907.25; Sun, 22 Oct 2023 03:05:09 +0000 Received: from TYSPR06MB6433.apcprd06.prod.outlook.com ([fe80::bec9:2820:41fd:3ac9]) by TYSPR06MB6433.apcprd06.prod.outlook.com ([fe80::bec9:2820:41fd:3ac9%6]) with mapi id 15.20.6907.025; Sun, 22 Oct 2023 03:05:09 +0000 From: Nuo Mi To: ffmpeg-devel@ffmpeg.org Date: Sun, 22 Oct 2023 11:04:35 +0800 Message-ID: X-Mailer: git-send-email 2.25.1 In-Reply-To: <20231022030435.3438-1-nuomi2021@gmail.com> References: <20231022030435.3438-1-nuomi2021@gmail.com> X-TMN: [qXslgFvvyOYXsF9QNgKV5dZyZaE7JuJp] X-ClientProxiedBy: TY2PR04CA0021.apcprd04.prod.outlook.com (2603:1096:404:f6::33) To TYSPR06MB6433.apcprd06.prod.outlook.com (2603:1096:400:47a::6) X-Microsoft-Original-Message-ID: <20231022030435.3438-2-nuomi2021@gmail.com> MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 2 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: TYSPR06MB6433:EE_|SEZPR06MB7059:EE_ X-MS-Office365-Filtering-Correlation-Id: 3b400a93-f5ea-43fb-9b08-08dbd2abaf51 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: 4PEScQrkZrng9f5T+nyPz9R+y1sUEzSm5t7eo9ksKj0jd+7arRI60KNrM8dzwgtV+D2GZNejs+hMz7pdo4YaT+4N0KcLlrk87SmGW3EmotcSGRrccSwCKkBnQD3vMiXV7/JQJEpTozAiadD2wOeeUlgwmsc1MKFMhsy8mHpeU+oh9P9vVWQ+Yoi6BwaQzabjvyuV42ksREc6GCl5B6vcTamxiMvYoejTK+NT63oC55GL1YdcufUhKMwYMqfpj3i8ZwbRSXGsgowU4GkE/wqh5HAHRZ68w4w6N4aOWXR0DxQELYQYYhQ4lblAtwOu0GuEN5RVVPuGlNhU3FihHNOrGUmyU4EaLTl171fUc3WaJv7Xc67XILB1hIUAoydg1IebNuFdJiiCRtQFUuYdSipWt5mHC/xWXQ/AfUVBoFc0vdh1Z6inXtYeCSoKWQCe+hk1tOCgcBqx+ZNWevxyx0xxrWps/v08hqIHsYfLYRwkB7drydvpEe9YGWJamDW93IikRF5IK0u0yS3Rbdou5+jB7/tSR8ei0y3Dltr5f+UHqjCBQ9q2OU3rS5CSf23JVRJvGZSghseKdHFai+y+CgVSQX38ZX2Gt59nFO404HyqEhTYLVfqNKwyc71rQLxl8ElJ X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?q?ItOCUeo8Y3lA17YO8h/Banx46SYW?= =?utf-8?q?6d5JEe3o/gT2udaCsKc2kyXmJS02GzV4w6GBTTmaRzlUVBNfCcIKwVRG2L9/yzi1m?= =?utf-8?q?LcKNb07F4G9oN1d/2zgSDnpgE0poAViXvL4qGVgr7avAxmkRIcMN8bALJ7oVhHvBL?= =?utf-8?q?L5Hvvs1Gae3LC5s9yvoW/BZuhzbelSAZqIF3brxo6P88PJlpir1YKbS344jYwUPHa?= =?utf-8?q?wryPnzRJ905bL1UdQMRJXqsyd2KcvCM8Kv6usrB+/YQgsHuz7AyWGbO2YoULCb/sq?= =?utf-8?q?0vO+kzOrgjVAr1fNlACH/touPwsf/Ze+6g9b9e/UcercHx1RqRAsMs+WdB92c4Sxu?= =?utf-8?q?OxkLhoLXjyXX8GsqmlfqN/BeinLTyywmImFsLUap+/hQ68nt2oFzKWzdDnQ2fdfJN?= =?utf-8?q?w2FBRCihZApFJyxpfjL+Avp/kV7r1cEMwhHR7/WhgJNrEyK5nNoZiTZAqpf8Y8kM3?= =?utf-8?q?CVGSEz7ik1ZRfx0/8SWyriVnG2Dert/9Z1EZZCrv4zhDJxhOuTtvV/v3Zft63iXCC?= =?utf-8?q?S/TGHPbZg+eoVwCz8iw6E0mqPdR1CPGKibwofoFKFcLj47dglKPr06I72EDWCTJhY?= =?utf-8?q?28KGwN3LZQmMOPW8Z42QTJ7a0H1fPbJIe9dFBOGNdEn8StxyeO/LUvutFj51a4MtY?= =?utf-8?q?OlopUhxUsOmuE3gKqnhQgzlgeazo4+US2LwkJBZCoK/nKg39k59Tp9VbOSku3OcKA?= =?utf-8?q?VDAxkjfcHOM/3pl52aHUumlZmiaA2n5o3EoAkgADyfP+vl34I3Db/Ysr939+LWNai?= =?utf-8?q?ZwRP0STe7DddpiLkGgmQWv5OE6GfTOGur3nMyTZqtHR5PHG9DICC/isesdOvr84aS?= =?utf-8?q?35KAq+INiBsKIegqwiUwJie4A7CfeAK/3q44NL9q1xzWhucS+eTxxC7ZNorW6oBXB?= =?utf-8?q?WIl5J6q2ugywshm8fQ3PbhWhDIGUx70v4KkBkotGLFnQEyU2fcDOcu1EuInvzBSYE?= =?utf-8?q?x3CAvSU0xYpVGXK0U2KnXej3T0oLL7vKyxUXvw0e8U+nMwRpLD+hK2FEWqYCLYAoM?= =?utf-8?q?MQeachhv1ZyGRtrvWFJHxZDZHid62TjAqgvB5exN8905MHbpuYxbq044XOx6ke67n?= =?utf-8?q?Y/4ISfRP95uS7a4mJf8FbFc5eu1QYxtZvgq3+n2PWgwAb+xem0b3Yh+/a6cUoGDvF?= =?utf-8?q?4dO3B5+L65Y7NHFXHGUvIkcZdiKl8ELZ/M7qXLiWxI0NNnkcPPWxTnFz6d+qUzBeV?= =?utf-8?q?9me+YibDiHd/10mNC?= X-OriginatorOrg: outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 3b400a93-f5ea-43fb-9b08-08dbd2abaf51 X-MS-Exchange-CrossTenant-AuthSource: TYSPR06MB6433.apcprd06.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 22 Oct 2023 03:05:08.9021 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000 X-MS-Exchange-Transport-CrossTenantHeadersStamped: SEZPR06MB7059 Subject: [FFmpeg-devel] [PATCH] avcodec/cbs_h266: more restrictive check on pps_tile_idx_delta_val X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Cc: Nuo Mi Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" X-TUID: QBVGi2V+proi Fixes: out of array access Fixes: 62603/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-5837632490569728 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg --- libavcodec/cbs_h266_syntax_template.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/libavcodec/cbs_h266_syntax_template.c b/libavcodec/cbs_h266_syntax_template.c index 5654f22878..5a34200a18 100644 --- a/libavcodec/cbs_h266_syntax_template.c +++ b/libavcodec/cbs_h266_syntax_template.c @@ -2043,9 +2043,12 @@ static int FUNC(pps) (CodedBitstreamContext *ctx, RWContext *rw, } if (i < current->pps_num_slices_in_pic_minus1) { if (current->pps_tile_idx_delta_present_flag) { + // Two conditions must be met: + // 1. −NumTilesInPic + 1 <= pps_tile_idx_delta_val[i] <= NumTilesInPic − 1 + // 2. 0 <= tile_idx + pps_tile_idx_delta_val[i] <= NumTilesInPic − 1 + // Combining these conditions yields: -tile_idx <= pps_tile_idx_delta_val[i] <= NumTilesInPic - 1 - tile_idx ses(pps_tile_idx_delta_val[i], - -current->num_tiles_in_pic + 1, - current->num_tiles_in_pic - 1, 1, i); + -tile_idx, current->num_tiles_in_pic - 1 - tile_idx, 1, i); if (current->pps_tile_idx_delta_val[i] == 0) { av_log(ctx->log_ctx, AV_LOG_ERROR, "pps_tile_idx_delta_val[i] shall not be equal to 0.\n");