From patchwork Thu Aug 1 16:18:14 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: James Almer X-Patchwork-Id: 50862 Delivered-To: ffmpegpatchwork2@gmail.com Received: by 2002:a59:12d6:0:b0:489:2eb3:e4c4 with SMTP id 205csp1268896vqs; Thu, 1 Aug 2024 09:17:56 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCVo0RFTi5NHQxa76crqs2dJXnAUO1aEjJ/A4RZtcdsNTyB1fHeCVVcLe/IugrIxKjveiiMQ6eQRG35EZLzCY913ArdV+epvKPNQMA== X-Google-Smtp-Source: AGHT+IGldjxSxCHPjPdCl3bXzVACh+JI9nwOhwf8DRRE/qSvyxVMg18Utm3G+eqsCpmxCVOUspwu X-Received: by 2002:a05:6512:696:b0:52c:9f9e:d8e3 with SMTP id 2adb3069b0e04-530bb385bbcmr229648e87.31.1722529076682; Thu, 01 Aug 2024 09:17:56 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1722529076; cv=none; d=google.com; s=arc-20160816; b=Cv/mrlpS2IFoFSWbVlG92/fdqHs9eHcILGTniJZFLU2MNpSYfKVIFKZ3OfUf/MpGxp bqM0MRC8WuIWtE5yN7h90xblw5+60gEAHqMdvDmxUvnBiMvExuDcH0kFpG8vp2BbSCbd 1owK0bbw9x51jaCUrnm3W60aQQi5z3ZTcACto5xwB22rbmda06Y7ushVtcGI6Jk8eq2D KDMMvSn8NB1blirkqapHCBxGiEsH9TXOvylwS2PxtlsOWoymtGT+dkOqDWHgZlOWwTjR s8WBf8dUdGF1pIqWzKy+/MLI/IaYJWws17eJUt0mu/qcVgjITlB0GAOdfm3FWxsJLC+I 59DQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:content-transfer-encoding:reply-to:list-subscribe :list-help:list-post:list-archive:list-unsubscribe:list-id :precedence:subject:mime-version:message-id:date:to:from :dkim-signature:delivered-to; bh=j9u2gOVRwHBQ4tBv5M+CHj+H0gzlGfWFQ3uTRMvYVOc=; fh=YOA8vD9MJZuwZ71F/05pj6KdCjf6jQRmzLS+CATXUQk=; b=YZNMD+4W9b3R0QTP8WgNBfvZ9oX6QV3vMcWZ2Yau6KysjlR85bWpT/ckA6Y5ASxFN0 9c5uBrYwnsb1aZnIM2h8DCZL2r76nFM3E6ISftoiu5GNT8cil/LRM3JDhVoeBLL6nP5V NlT3Dw9/scTHeYbX8a+Ow799mQa4vEcKPEuwHKLyGNbDd9axocBGoDcjAgmQuUvbrb8q Cf1pbboaL6HDfQUZCYZ1HzWeRQ9Y2n/iQe4dQYbjb5UB4vcp3YA1PJlnMbg7rHNmQ34H 6thCJsCh9Eh+DQMlpE4m9Yj8PHIW/ERZy3EvVjfsjfjhMM0Gq0zPFh0LqRk+CB8hWkzB J0Nw==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@gmail.com header.s=20230601 header.b=l5SDZFOg; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com; dara=fail header.i=@gmail.com Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100]) by mx.google.com with ESMTP id a640c23a62f3a-a7acac63cd7si1043604766b.620.2024.08.01.09.17.55; Thu, 01 Aug 2024 09:17:56 -0700 (PDT) Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) client-ip=79.124.17.100; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@gmail.com header.s=20230601 header.b=l5SDZFOg; spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org designates 79.124.17.100 as permitted sender) smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com; dara=fail header.i=@gmail.com Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 7193068D7ED; Thu, 1 Aug 2024 19:17:52 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from mail-pl1-f171.google.com (mail-pl1-f171.google.com [209.85.214.171]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 4814F68D5E6 for ; Thu, 1 Aug 2024 19:17:46 +0300 (EEST) Received: by mail-pl1-f171.google.com with SMTP id d9443c01a7336-1fc49c0aaffso54201965ad.3 for ; Thu, 01 Aug 2024 09:17:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1722529063; x=1723133863; darn=ffmpeg.org; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:from:to:cc:subject:date:message-id:reply-to; bh=bxWIGgm+mn/8ent4/eHnjN4KjcAPLc3hshpYzCWrAL4=; b=l5SDZFOgwdKCZpdmY7mP/6fOX4lTzoNDYXrMEkTK8V04SPhxXXZjJwHgAmNX9Zkmee 3v3au4G93r25UXAaM6OamEm6g/4LcCMqoXhwF0NtVN+Gk0CnR4y3Aww6fnvxVM7kvgoj 2/vPjR/bYF/ViF8oVYF65H+a3jMep9Zbm1kemYHd+Ii+Xuw8O4b4+eG/U4XUccBXmgkv sqqI6sAuGEgnjYmctiaJjKr5bxbA0PFqYrhqPt1qnRKzFXS6FgekiTWxRkR2WGLzc/9D hvHtNYDlbS5RMVbheu0cI3cke6pfGI2MG2IOFQN3jRg3TTRydOOVLZn2EREUaG6jkwQb /46Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1722529063; x=1723133863; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=bxWIGgm+mn/8ent4/eHnjN4KjcAPLc3hshpYzCWrAL4=; b=l/JLRe4/LTo6cJl7JB4CAeW3nfOk82sgmSKiCkOpoI5fEEXMDyGW4gpau7XeUnzsnH Nk6jd0zQtE3OXRD3eLCjQ7h7kcMw/iFTovYEEVSjdIEg14b7sKcFnJIYY++8nbL7vVkK nq/mQ73fx5DT+x8bkbypp9DvKqwuAAzVhexGiRQb15f5JGY73FFCsdiB9fv62OxlbWmR YfBZHmGfmn6no7DPwXzDb85dG7iFVPX4hyXnFINOTIDn2DA0C6c5uVWSULLA37zqyhXV 7MIVrLAe0symEa4+sQ+/NSR2lAa/qp3cJRWbmm3gdXs9PwSsX5NjHvc65fw1c1pOVtGz 2rMw== X-Gm-Message-State: AOJu0Yz3zpBmW3CO/P9vGOnLf3M+rLLuGtQ7Tm3za8AQvAPDQTsWPYC+ 7iWbZxDCq0T1WCDXQdt41LqCftcDw2eUorL5t6RhCQsAoOI03kjrcOykWw== X-Received: by 2002:a17:902:f682:b0:1fd:d6d8:133e with SMTP id d9443c01a7336-1ff5728184bmr8727605ad.14.1722529063151; Thu, 01 Aug 2024 09:17:43 -0700 (PDT) Received: from localhost.localdomain ([190.194.167.233]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-1ff58f53416sm538075ad.101.2024.08.01.09.17.41 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 01 Aug 2024 09:17:42 -0700 (PDT) From: James Almer To: ffmpeg-devel@ffmpeg.org Date: Thu, 1 Aug 2024 13:18:14 -0300 Message-ID: <20240801161814.7386-1-jamrial@gmail.com> X-Mailer: git-send-email 2.45.2 MIME-Version: 1.0 Subject: [FFmpeg-devel] [PATCH] avcodec/cbs_h265: don't attempt to read 0 length elements in sei_3d_reference_displays_info X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" X-TUID: Cml3Mg8QutO7 Fixes: 70458/clusterfuzz-testcase-minimized-ffmpeg_BSF_TRACE_HEADERS_fuzzer-5259339779080192 Fixes: Assertion width > 0 && width <= 32 failed at libavcodec/cbs.c:608 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: James Almer --- libavcodec/cbs_h265_syntax_template.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/libavcodec/cbs_h265_syntax_template.c b/libavcodec/cbs_h265_syntax_template.c index f1be30a6c9..12fa185c77 100644 --- a/libavcodec/cbs_h265_syntax_template.c +++ b/libavcodec/cbs_h265_syntax_template.c @@ -2307,7 +2307,10 @@ SEI_FUNC(sei_3d_reference_displays_info, (CodedBitstreamContext *ctx, RWContext else length = FFMAX(0, (int)current->exponent_ref_display_width[i] + (int)current->prec_ref_display_width - 31); - ubs(length, mantissa_ref_display_width[i], 1, i); + if (length) + ubs(length, mantissa_ref_display_width[i], 1, i); + else + infer(mantissa_ref_display_width[i], 0); if (current->ref_viewing_distance_flag) { us(6, exponent_ref_viewing_distance[i], 0, 62, 1, i); if (!current->exponent_ref_viewing_distance[i]) @@ -2315,7 +2318,10 @@ SEI_FUNC(sei_3d_reference_displays_info, (CodedBitstreamContext *ctx, RWContext else length = FFMAX(0, (int)current->exponent_ref_viewing_distance[i] + (int)current->prec_ref_viewing_dist - 31); - ubs(length, mantissa_ref_viewing_distance[i], 1, i); + if (length) + ubs(length, mantissa_ref_viewing_distance[i], 1, i); + else + infer(mantissa_ref_viewing_distance[i], 0); } flags(additional_shift_present_flag[i], 1, i); if (current->additional_shift_present_flag[i])