Skip to content

Commit

Permalink
mvcdec: Heap overflow in 'ih264d_read_coeff4x4_cabac'
Browse files Browse the repository at this point in the history
In some erroneous fuzzer bistreams, the slice data requires more
parsing than what was implied by the distance between successive
start codes. The primary culprit is the NEXTBITS macro which requires
reading 4 additional bytes of the bitstream buffer. To alleviate
this, 4 bytes per 4x4 TU have been additionally allocated to the
bitstream buffer.

Bug = ossfuzz:66989
Test: mvc_dec_fuzzer
  • Loading branch information
AshwinNatesan-ittiam authored and harishdm committed May 7, 2024
1 parent 828cdb7 commit 72315c1
Showing 1 changed file with 7 additions and 1 deletion.
8 changes: 7 additions & 1 deletion decoder/mvc/imvcd_api.c
Original file line number Diff line number Diff line change
Expand Up @@ -733,7 +733,13 @@ static IV_API_CALL_STATUS_T imvcd_view_decode(iv_obj_t *ps_dec_hdl, imvcd_video_

if(i4_nalu_length)
{
UWORD32 u4_nalu_buf_size = ((UWORD32) i4_nalu_length) + 8;
/* In some erroneous fuzzer bistreams, the slice data requires more
parsing than what was implied by the distance between successive
start codes.The primary culprit is the NEXTBITS macro which requires
reading 4 additional bytes of the bitstream buffer.To alleviate
this, 4 bytes per 4x4 TU have been additionally allocated to the
bitstream buffer. */
UWORD32 u4_nalu_buf_size = ((UWORD32) i4_nalu_length) + 8 + 4 * 16;

if(u4_nalu_buf_size > u4_bitstream_buf_size)
{
Expand Down

0 comments on commit 72315c1

Please sign in to comment.