From patchwork Tue Apr 9 07:55:11 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Frank Plowman X-Patchwork-Id: 47966 Delivered-To: ffmpegpatchwork2@gmail.com Received: by 2002:a05:6a20:9c8d:b0:1a7:a0dc:8de5 with SMTP id mj13csp198400pzb; Tue, 9 Apr 2024 00:55:24 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCU8N5C03YhdrXmdUuCdW0S9cNDU9UT2uyiLyRh9uTr0ISyKZBc+ajsCRTNcyEOc59Fepbjz6sLnfimyrSs0hQcDkh0h+nJBEqMlsw== X-Google-Smtp-Source: AGHT+IE53epyufhVhoNArdcLYu7KDkFphSQaVpADQIcpAi1ZZMCC1q+UWhAs38VMqtyc5JD0RLNt X-Received: by 2002:a05:651c:11cc:b0:2d8:279a:2239 with SMTP id z12-20020a05651c11cc00b002d8279a2239mr7042890ljo.5.1712649323908; Tue, 09 Apr 2024 00:55:23 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1712649323; cv=none; d=google.com; s=arc-20160816; b=D50QLFWiCFRH6as3elXJX2GkZckAlT+1mMB5YLBZOnyJllrc+607HZndxgGI8iwA4B U+7jfzj/Ha3RU2ZBsqUgAcW5uy3I2btha+nUDqlsfJe9FcnregnQ0gNtcxIjRsJvt+Gi n0HVkHfsrCm0jHi8/1dqhhB99BAZ6sm+AyoGgixz0omCnBbO2RVlPGKUqoe4dUUUrzNV MCt8SaKzCON0YDlHSSHQAr1+OD47DncgAHtALkUTt5/Jy2D7UH1l8WALEFiYPWDEMcXJ qN1/SJYDA2stGYhGoICqJ/CCkA6lVTE6AKxdyfFKEsYHmyf78xANdWxKPdPiPY/GI0yg ncew== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:cc:reply-to :list-subscribe:list-help:list-post:list-archive:list-unsubscribe :list-id:precedence:subject:to:mime-version:message-id:date:from :dkim-signature:delivered-to; bh=FF1Zk6u8JpMzbfJal56ZVNSvvLrkfytlr4+N8e9HiPc=; fh=GABYHefZpsCOOVRn8a1IgmYuOvaCu1oFlwEOjvaxWTE=; b=KfUdZVh3hhAXDG2NC/bTA4zgtjzD0inxJAfMBP3onO1qYmrJ8+na+4wpMCJbR68Gtw YOsOIWVbF3BjmIIANCZtUF7zeCCYgQ/g8omWFx9d4G21nfeqzIh+R5e9JXeejcEVgAEY xaOhtkXONFQmuLIo7XgFkr5hkasbUGB8V2os//DqeIGDczxXhAHkfJ2YioahCDur9i2G mFRBCojv2xoHnVu7vRf+cGgEQKBdqbifopTPGOmB5sLxO9tT/s8akdFaXFYFMsfXvYK+ 7dFd1xmDbWV5bswGuFRDKSIx7GganDQuFItmlLjY0VpWQ6HsGEfoo8ZFZdXR4OwWasvc 0u/g==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@frankplowman.com header.s=s1 header.b=aMiSE5+P; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id b10-20020a2e894a000000b002d86641459fsi2620433ljk.502.2024.04.09.00.55.23; Tue, 09 Apr 2024 00:55:23 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@frankplowman.com header.s=s1 header.b=aMiSE5+P; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id CDAC268CF59; Tue, 9 Apr 2024 10:55:19 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from wrqvffvh.outbound-mail.sendgrid.net (wrqvffvh.outbound-mail.sendgrid.net [149.72.255.128]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 597F568CE20 for ; Tue, 9 Apr 2024 10:55:13 +0300 (EEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=frankplowman.com; h=from:subject:mime-version:to:cc:content-transfer-encoding: content-type:cc:content-type:from:subject:to; s=s1; bh=wddO5ZkfKmV4Ofwo1ej5kKpS3fshNk0Bzq7d9AnORO4=; b=aMiSE5+PU47EBR9M+b/aTix5NsyGtldmmVDc3f4QHN9mgPEBlfhR3BQNvYe7apHk777J Lno9bHKD7s0uZiwOvWMR4xGcFeULP84NI37H/I4BYnXjBjtSk5aLugFmiW8jEJUaa+Xkxd Lt3YHlSHwcSos+Y1wHMBbOuhSbmHhH7MVEo7CQ0j3e4UxEYrik+ukaZy/S2foRldg7tsWA RKwgEL0YVGGes0NmNqezp6n0hyO1jk60zk2JXvvDItGsC8oMWfCGv6QEImty7rSK/vlQQP mx7Gp2FWvZd/QtLZQRze5ohR6algh7SCVaILlUk0s+yaaMPI6ELl1eGVRMTrFMdA== Received: by recvd-d98d7c8b-ljrlh with SMTP id recvd-d98d7c8b-ljrlh-1-6614F45F-A 2024-04-09 07:55:11.585680537 +0000 UTC m=+396137.015216030 Received: from localhost.localdomain (unknown) by geopod-ismtpd-11 (SG) with ESMTP id gapJE-nCQemHKprdPjLTqg Tue, 09 Apr 2024 07:55:10.969 +0000 (UTC) From: Frank Plowman Date: Tue, 09 Apr 2024 07:55:11 +0000 (UTC) Message-ID: <20240409075507.7576-1-post@frankplowman.com> X-Mailer: git-send-email 2.44.0 MIME-Version: 1.0 X-SG-EID: u001.Z0KJCHpts8tvDq7PHgz5cpqJ+vJcSmdTtST/g91WT3qAbNxUpEMGIDQq91mXy3Yjvepp8fYsFUJzGsyhT1EwBYuG1GFCMXldosVXE03vj3e06F9g02CB5KPrR4o3ds5pYlB0GC+mGG0/nreDjbROMOO5ZqWLX9spyjbFKbgz2ByxXrQ9UxnupU68w8uzPOTnU1gF6JoaPKS/QA66410X48Scb1ERGgr/z8G0QX6SvnU/0/EDT8icOxoql0mct39s To: ffmpeg-devel@ffmpeg.org X-Entity-ID: u001.qzljkbu34TNIX4NwfTiKWA== Subject: [FFmpeg-devel] [PATCH] lavc/vvc: Fix buffer overread in CABAC X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Cc: Frank Plowman Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" X-TUID: Ftgdf6ORgmm5 The size variable here is taken as gospel for the bounds of the input buffer in later logic. Clamp it to ensure that the returned region does not extend past that allocated in the underlying GetBitContext, even in the case entry point offsets are signalled in the bitstream. Also assert this for good measure. Signed-off-by: Frank Plowman --- libavcodec/vvc/dec.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/vvc/dec.c b/libavcodec/vvc/dec.c index 27ffbb741d..a4fc40b40a 100644 --- a/libavcodec/vvc/dec.c +++ b/libavcodec/vvc/dec.c @@ -497,9 +497,11 @@ static void ep_init_cabac_decoder(SliceContext *sc, const int index, skipped++; } size = end - start; + size = av_clip(size, 0, get_bits_left(gb) / 8); } else { size = get_bits_left(gb) / 8; } + av_assert0(gb->buffer + get_bits_count(gb) / 8 + size <= gb->buffer_end); ff_init_cabac_decoder (&ep->cc, gb->buffer + get_bits_count(gb) / 8, size); skip_bits(gb, size * 8); }