svcdec: Fixes for NULL dereferencing in inter-layer functions

Resolution level initialization is tracked in inter layer prediction functions Bug = ossfuzz:62290 Test: svc_dec_fuzzer
ittiam-systems · Oct 27, 2023 · 463622a · 463622a
1 parent 196f0db
commit 463622a
Show file tree

Hide file tree

Showing 5 changed files with 12 additions and 0 deletions.
diff --git a/decoder/svc/isvcd_api.c b/decoder/svc/isvcd_api.c
@@ -5183,6 +5183,7 @@ WORD32 isvcd_video_decode(iv_obj_t *dec_hdl, void *pv_api_ip, void *pv_api_op)
                 UWORD8 u1_layer_nal_data_present = 0;
                 ps_svcd_ctxt->u1_cur_layer_id = u1_res_id;
                 ps_svc_lyr_dec = ps_svcd_ctxt->ps_svc_dec_lyr + u1_res_id;
+                ps_svc_lyr_dec->u1_res_init_done = 0;
                 ps_dec = &ps_svc_lyr_dec->s_dec;
 
                 ps_dec->i4_decode_header = ps_dec_zero_lyr->i4_decode_header;

diff --git a/decoder/svc/isvcd_parse_ebslice.c b/decoder/svc/isvcd_parse_ebslice.c
@@ -251,6 +251,9 @@ WORD32 isvcd_mv_pred_ref_tfr_nby2_ebmb(dec_struct_t *ps_dec, UWORD8 u1_mb_idx, U
     ps_mb_part_info = ps_dec->ps_parse_mb_data;
     ps_part = ps_dec->ps_parse_part_params;
 
+    if(ps_svc_lyr_dec->u1_res_init_done == 0)
+        return NOT_OK;
+
     /* N/2 Mb MvPred and Transfer Setup Loop */
     for(i = u1_mb_idx; i < u1_num_mbs; i++, ps_mb_part_info++)
     {

diff --git a/decoder/svc/isvcd_parse_epslice.c b/decoder/svc/isvcd_parse_epslice.c
@@ -3188,6 +3188,8 @@ WORD32 isvcd_parse_interlayer_resamp_func_init(svc_dec_lyr_struct_t *ps_svc_lyr_
     dec_struct_t *ps_dec = &ps_svc_lyr_dec->s_dec;
     dec_slice_params_t *ps_slice = ps_dec->ps_cur_slice;
     WORD32 ret = OK;
+    if(ps_svc_lyr_dec->u1_res_init_done == 1)
+        return ret;
 
     if(TARGET_LAYER != ps_svc_lyr_dec->u1_layer_identifier)
     {
@@ -3209,6 +3211,8 @@ WORD32 isvcd_parse_interlayer_resamp_func_init(svc_dec_lyr_struct_t *ps_svc_lyr_
         if(ret != OK) return NOT_OK;
         ret = isvcd_residual_samp_res_init(ps_svc_lyr_dec);
         if(ret != OK) return NOT_OK;
+
+        ps_svc_lyr_dec->u1_res_init_done = 1;
     }
 
     return ret;

diff --git a/decoder/svc/isvcd_process_epslice.c b/decoder/svc/isvcd_process_epslice.c
@@ -192,6 +192,9 @@ WORD32 isvcd_mv_pred_ref_tfr_nby2_epmb(dec_struct_t *ps_dec, UWORD8 u1_mb_idx, U
     ps_mb_part_info = ps_dec->ps_parse_mb_data;
     ps_part = ps_dec->ps_parse_part_params;
 
+    if(ps_svc_lyr_dec->u1_res_init_done == 0)
+        return NOT_OK;
+
     /* N/2 Mb MvPred and Transfer Setup Loop */
     for(i = u1_mb_idx; i < u1_num_mbs; i++, ps_mb_part_info++)
     {

diff --git a/decoder/svc/isvcd_structs.h b/decoder/svc/isvcd_structs.h
@@ -660,6 +660,7 @@ typedef struct _SvcDecLyrStruct
     WORD32 i4_frm_svc_base_mode_cabac_size;
     UWORD32 u4_pps_id_for_layer;
     UWORD8 u1_error_in_cur_frame;
+    UWORD8 u1_res_init_done;
 } svc_dec_lyr_struct_t;
 
 typedef struct