mvcdec: Heap overflow in 'ih264d_parse_fgc'

Although the fag end of both the NALU and the bitstream buffer is being parsed, not all FGC SEI symbols would have been decoded semantically. This commit detects and returns an error in this situation. Bug = ossfuzz:65418 Test: mvc_dec_fuzzer
ittiam-systems · Jan 16, 2024 · 2b1e563 · 2b1e563
1 parent 28727ba
commit 2b1e563
Showing 1 changed file with 13 additions and 0 deletions.
diff --git a/decoder/ih264d_sei.c b/decoder/ih264d_sei.c
@@ -851,6 +851,18 @@ WORD32 ih264d_parse_fgc(dec_bit_stream_t *ps_bitstrm, dec_struct_t *ps_dec,
                     return ERROR_INV_SEI_FGC_PARAMS;
                 }
 
+                /* Although the fag end of both the NALU and the bitstream buffer */
+                /* is being parsed, not all FGC SEI symbols would have been */
+                /* decoded semantically. The code below detects this condition */
+                if((ps_bitstrm->u4_ofst +
+                    ps_sei->s_sei_fgc_params.au1_num_intensity_intervals_minus1[c] *
+                        (8 + 8 +
+                         (ps_sei->s_sei_fgc_params.au1_num_model_values_minus1[c] + 1) * 16)) >=
+                   ps_bitstrm->u4_max_ofst)
+                {
+                    return ERROR_INV_SEI_FGC_PARAMS;
+                }
+
                 for(i = 0; i <= ps_sei->s_sei_fgc_params.au1_num_intensity_intervals_minus1[c]; i++)
                 {
                     ps_sei->s_sei_fgc_params.au1_intensity_interval_lower_bound[c][i] =
@@ -863,6 +875,7 @@ WORD32 ih264d_parse_fgc(dec_bit_stream_t *ps_bitstrm, dec_struct_t *ps_dec,
                     {
                         ps_sei->s_sei_fgc_params.ai4_comp_model_value[c][i][j] =
                             (WORD32) ih264d_sev(pu4_bitstrm_ofst, pu4_bitstrm_buf);
+
                         if(0 == ps_sei->s_sei_fgc_params.u1_film_grain_model_id)
                         {
                             if((1 == j) || (2 == j))