From patchwork Mon Mar 25 08:09:00 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Zhao Zhili <quinkblack@foxmail.com>
X-Patchwork-Id: 47421
Delivered-To: ffmpegpatchwork2@gmail.com
Received: by 2002:a05:6a20:c889:b0:1a3:b6bb:3029 with SMTP id
 hb9csp1037199pzb;
        Mon, 25 Mar 2024 01:09:23 -0700 (PDT)
X-Forwarded-Encrypted: i=2;
 AJvYcCXumU2uDRb60k3SF1amxlLcKMzs8u3JDX9yoaVEvk+li6aRuMMOhdhC7y+q7E2Mwbg5TrF5HhWxoVPG4fDIRdAXK0gaEQD03G/Q9w==
X-Google-Smtp-Source: 
 AGHT+IEd1JFFLG2iDrM0sqz/gCuYjRrlDF7dUfvyxLxxCTouLM8mTvu5Lat2By52YJmoW0Hmj5uF
X-Received: by 2002:a17:906:fc08:b0:a46:2a8c:b9f0 with SMTP id
 ov8-20020a170906fc0800b00a462a8cb9f0mr3948281ejb.7.1711354163172;
        Mon, 25 Mar 2024 01:09:23 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1711354163; cv=none;
        d=google.com; s=arc-20160816;
        b=Y8KlG1wtfnYxa8pPi4ySEbRZp+hYuR4X8znfg324BkRR06V7KXF38LZHN1Zqqrv3Tj
         0KmiSHTLdDV48+TVfu1AdIbeTlQ8lWdAJ3eYaGsMmYi0IHFV3TvbTUR/OPhRhHfxi9nd
         mivTu9yCHRr7EelSgtKw53hsxXa1s3WLdvc9GbnxRTIu+R6+MJGw60wmeC3K2YpgnhYD
         OinOXdSb9ghyu0DeoSfx6uznmmnDqYtuBbt4sI5ft0UXqNCUXPRR1w11E6X6l+lOkgjf
         olFPoCtt9VRifvCkgnQSFc6TLBevINUTSzQuzxL3Vyt1/E3dhyyNjm9u31BpRpfizUO3
         EZqQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=sender:errors-to:content-transfer-encoding:cc:reply-to
         :list-subscribe:list-help:list-post:list-archive:list-unsubscribe
         :list-id:precedence:subject:mime-version:date:to:from:message-id
         :dkim-signature:delivered-to;
        bh=3MmuKwCtVXo2/Gzy9392fPJTi8UmpF1deHWKP+Su3sM=;
        fh=HnHYuZ9XgUo86ZRXTLWWmQxhslYEI9B9taZ5X1DLFfc=;
        b=rzngK17gT9FUNuikQdfGGNUJEoRWfVdb/e0KYaH19FKwFDvnB94q5pYHZL+buya9ta
         6a6OonPiE/bT9E8BvNWKuCrwE4YGWjm7kfoQO3uygXfOgiehAZqhXlK7YKU5iAZ6JXx8
         g0RYWQ7CzItaMd8U8YFzg/SIEB8WEcQvqdDdTqDcuTQuueo3xhdarerq4Lg19mXnU05z
         T3oGGRO7Rlp0Id8k4UyEKR2IlPRi0pqV5gtp0Da7vYA9bsClxHomAmQW0+6LDcoc3e7c
         FFT0mqroVuuw+flwSn/y73jeUSl/xhbAJWwDGJM0Ss0EtUs3/w44tQC+Xoq4mlWaTf+p
         SGdw==;
        dara=google.com
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=neutral (body hash did not verify) header.i=@foxmail.com
 header.s=s201512 header.b=ixb3qXQM;
       spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender)
 smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=foxmail.com
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100])
        by mx.google.com with ESMTP id
 o12-20020a17090611cc00b00a4666bb4878si2249478eja.601.2024.03.25.01.09.22;
        Mon, 25 Mar 2024 01:09:23 -0700 (PDT)
Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100;
Authentication-Results: mx.google.com;
       dkim=neutral (body hash did not verify) header.i=@foxmail.com
 header.s=s201512 header.b=ixb3qXQM;
       spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
 designates 79.124.17.100 as permitted sender)
 smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=foxmail.com
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 8B82668D460;
	Mon, 25 Mar 2024 10:09:19 +0200 (EET)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from out203-205-221-242.mail.qq.com (out203-205-221-242.mail.qq.com
 [203.205.221.242])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 20AB368D3F9
 for <ffmpeg-devel@ffmpeg.org>; Mon, 25 Mar 2024 10:09:10 +0200 (EET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=foxmail.com;
 s=s201512; t=1711354141;
 bh=dxdl2kRnQj+YFbDWiunxP6ZZkiSSKe2UYSK0L8FhxtM=;
 h=From:To:Cc:Subject:Date;
 b=ixb3qXQMJKCozSF6DA3YiAhT+5ni6fihS1yfLOa01HKgyGT2n47rl2ClX361wNU4n
 R+3Lx3/cSDE1yh59PIFYMLnbIB/JYd9pZjN6VsPUtAObQep/2Cktm9CZG8GRDUDNgH
 p4tKIud9QfJCtdcBbO7SzWo4/39d/KBG1pD13bWg=
Received: from localhost.localdomain ([113.108.77.66])
 by newxmesmtplogicsvrsza10-0.qq.com (NewEsmtp) with SMTP
 id 2403C8CE; Mon, 25 Mar 2024 16:09:00 +0800
X-QQ-mid: xmsmtpt1711354140tmhyfsi30
Message-ID: <tencent_BB8A3497802A35ED3E9D56379C4CE1B25A09@qq.com>
X-QQ-XMAILINFO: NKv2G1wnhDBnOMjJBZEDgvgT05ydz6tzJ1xZ2n8W96KX0ymBjDMzXNSb4NXXKO
 nBxWNgG1+aMQSPKcNf9PXlTVpwn0ARSC46sEZ22yGWacVw8ZLkEt9ggAqPkAT3FY45wLgKZ/kyQT
 ctsztCb+TAjS5wJgjb2+ObZnHWRFFSHqkqm+uO2gN7tNHEOceFNXUToLPavEcLsKgoVGIt1CIbjn
 0HG7qfTvyJknP6yo7DZ4Pqn7YgGccJukEbLcoqz7JsBMUSXR73LA6XK+SFUqWSZgb20NbFZ1mKNo
 To0zs+oPOe2Gd1Bgv0XCkb+vIUZfOSi32lJlJH/AB3sr4FTjXlpeelBWqAg6TjqfeDKM9/HZLObr
 +ntT2dSvQpRJel4yQqLFeK3liedbROUr/c8y8wFJd7NxiVfzOrN2wt5vjwAUi61wyq/omNPJT591
 7XZCCeXbhmIbHwmPNDyB69qPdqvqVFeBrnV3UcvbvMFIfFL5uepo1WndL+2fvpuoX7ZK8LaCJgOO
 lMRntUiENV8wTOZdTafJtbRJXdmj2UCsszVvinz/qtsFKLF2Le4CLqO9lbfm89cPoqg4tu8UVim/
 d/uwXWZQFpkErrCZOTFJaIRtbDEkZNd159R0FW4HHb3oJWsBqzEZS/HEqIcWDDbsK51dOG1SLBVe
 1+42ceOb0L5I2a1acdJ5RtFmnrfr1E6GY27z4QI2JQX4uLaK1NAXv8d2JZV2zDJk6pMNud2RmD1B
 L1vDghXlZt9dNG6hjSHynjGE/abAN5hTvW4MAug0DweR+29P6mi+WmUHplAxGbC0RWE6Ezt5SS7r
 Asf8n9ZnXjnyPyurXh6AQ182vn9XYP7m529zpBE6Fu7Zwnb1QxFlBBQfyCdvl4MhnH5F0VfLkwhs
 3o9vkRfMIn/Wp4FbCJlzO4rbg55ahGEKJWULb3aKiOPemuhbDSJOkNjJb3S6Ss8CGJVsq9CD5G1Y
 ikupwf6owfFpMBYRXxF8AZWi+cab3H5ABiupeO8iNgbDYfGbQqAg==
X-QQ-XMRINFO: Nq+8W0+stu50PRdwbJxPCL0=
From: Zhao Zhili <quinkblack@foxmail.com>
To: ffmpeg-devel@ffmpeg.org
Date: Mon, 25 Mar 2024 16:09:00 +0800
X-OQ-MSGID: <20240325080900.854889-1-quinkblack@foxmail.com>
X-Mailer: git-send-email 2.25.1
MIME-Version: 1.0
Subject: [FFmpeg-devel] [PATCH] avcodec/h264_mp4toannexb: Fix heap buffer
 overflow
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Cc: Zhao Zhili <zhilizhao@tencent.com>
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>
X-TUID: ST+5HL1laG1c

From: Zhao Zhili <zhilizhao@tencent.com>

Fixes: out of array write
Fixes: 64407/clusterfuzz-testcase-minimized-ffmpeg_BSF_H264_MP4TOANNEXB_fuzzer-4966763443650560

mp4toannexb_filter counts the number of bytes needed in the first
pass and allocate the memory, then do memcpy in the second pass.
Update sps/pps size in the loop makes the count invalid in the
case of SPS/PPS occur after IDR slice. This patch process in-band
SPS/PPS before the two pass loops.
---
 libavcodec/bsf/h264_mp4toannexb.c | 59 ++++++++++++++++++++++++-------
 1 file changed, 46 insertions(+), 13 deletions(-)

diff --git a/libavcodec/bsf/h264_mp4toannexb.c b/libavcodec/bsf/h264_mp4toannexb.c
index 120241c892..92af6a6881 100644
--- a/libavcodec/bsf/h264_mp4toannexb.c
+++ b/libavcodec/bsf/h264_mp4toannexb.c
@@ -208,6 +208,49 @@ static int h264_mp4toannexb_save_ps(uint8_t **dst, int *dst_size,
     return 0;
 }
 
+static int h264_mp4toannexb_filter_ps(H264BSFContext *s,
+                                      const uint8_t *buf,
+                                      const uint8_t *buf_end)
+{
+    int sps_count = 0;
+    int pps_count = 0;
+    uint8_t unit_type;
+
+    do {
+        uint32_t nal_size = 0;
+
+        /* possible overread ok due to padding */
+        for (int i = 0; i < s->length_size; i++)
+            nal_size = (nal_size << 8) | buf[i];
+
+        buf += s->length_size;
+
+        /* This check requires the cast as the right side might
+         * otherwise be promoted to an unsigned value. */
+        if ((int64_t)nal_size > buf_end - buf)
+            return AVERROR_INVALIDDATA;
+
+        if (!nal_size)
+            continue;
+
+        unit_type = *buf & 0x1f;
+
+        if (unit_type == H264_NAL_SPS) {
+            h264_mp4toannexb_save_ps(&s->sps, &s->sps_size, &s->sps_buf_size, buf,
+                                   nal_size, !sps_count);
+            sps_count++;
+        } else if (unit_type == H264_NAL_PPS) {
+            h264_mp4toannexb_save_ps(&s->pps, &s->pps_size, &s->pps_buf_size, buf,
+                                   nal_size, !pps_count);
+            pps_count++;
+        }
+
+        buf += nal_size;
+    } while (buf < buf_end);
+
+    return 0;
+}
+
 static int h264_mp4toannexb_init(AVBSFContext *ctx)
 {
     int extra_size = ctx->par_in->extradata_size;
@@ -263,14 +306,14 @@ static int h264_mp4toannexb_filter(AVBSFContext *ctx, AVPacket *opkt)
     }
 
     buf_end  = in->data + in->size;
+    ret = h264_mp4toannexb_filter_ps(s, in->data, buf_end);
+    if (ret < 0)
+        goto fail;
 
 #define LOG_ONCE(...) \
     if (j) \
         av_log(__VA_ARGS__)
     for (int j = 0; j < 2; j++) {
-        int sps_count = 0;
-        int pps_count = 0;
-
         buf      = in->data;
         new_idr  = s->new_idr;
         sps_seen = s->idr_sps_seen;
@@ -301,18 +344,8 @@ static int h264_mp4toannexb_filter(AVBSFContext *ctx, AVPacket *opkt)
 
             if (unit_type == H264_NAL_SPS) {
                 sps_seen = new_idr = 1;
-                if (!j) {
-                    h264_mp4toannexb_save_ps(&s->sps, &s->sps_size, &s->sps_buf_size,
-                                             buf, nal_size, !sps_count);
-                    sps_count++;
-                }
             } else if (unit_type == H264_NAL_PPS) {
                 pps_seen = new_idr = 1;
-                if (!j) {
-                    h264_mp4toannexb_save_ps(&s->pps, &s->pps_size, &s->pps_buf_size,
-                                             buf, nal_size, !pps_count);
-                    pps_count++;
-                }
                 /* if SPS has not been seen yet, prepend the AVCC one to PPS */
                 if (!sps_seen) {
                     if (!s->sps_size) {