Skip to content

Commit

Permalink
mvcdec: Heap overflow in 'ih264d_parse_fgc'
Browse files Browse the repository at this point in the history
Although the fag end of both the NALU and the bitstream buffer
 is being parsed, not all FGC SEI symbols would have been
decoded semantically. This commit detects and returns an error
in this situation.

Bug = ossfuzz:65418
Test: mvc_dec_fuzzer
  • Loading branch information
AshwinNatesan-ittiam authored and harishdm committed Jan 22, 2024
1 parent 28727ba commit a20a5df
Show file tree
Hide file tree
Showing 2 changed files with 11 additions and 1 deletion.
8 changes: 8 additions & 0 deletions decoder/ih264d_sei.c
Original file line number Diff line number Diff line change
Expand Up @@ -853,6 +853,14 @@ WORD32 ih264d_parse_fgc(dec_bit_stream_t *ps_bitstrm, dec_struct_t *ps_dec,

for(i = 0; i <= ps_sei->s_sei_fgc_params.au1_num_intensity_intervals_minus1[c]; i++)
{
/* Although the fag end of both the NALU and the bitstream buffer */
/* is being parsed, not all FGC SEI symbols would have been */
/* decoded semantically. The code below detects this condition */
if((ps_bitstrm->u4_ofst + 8 + 8) >= ps_bitstrm->u4_max_ofst)
{
return ERROR_INV_SEI_FGC_PARAMS;
}

ps_sei->s_sei_fgc_params.au1_intensity_interval_lower_bound[c][i] =
(UWORD8) ih264d_get_bits_h264(ps_bitstrm, 8);

Expand Down
4 changes: 3 additions & 1 deletion decoder/mvc/imvcd_api.c
Original file line number Diff line number Diff line change
Expand Up @@ -737,7 +737,9 @@ static IV_API_CALL_STATUS_T imvcd_view_decode(iv_obj_t *ps_dec_hdl, imvcd_video_

if(u4_nalu_buf_size > u4_bitstream_buf_size)
{
if(IV_SUCCESS != imvcd_bitstream_buf_realloc(ps_view_ctxt, u4_nalu_buf_size))
/* 64 extra bytes to account for OOB accesses during SEI parsing in */
/* some fuzzer bitstreams */
if(IV_SUCCESS != imvcd_bitstream_buf_realloc(ps_view_ctxt, u4_nalu_buf_size + 64))
{
return IV_FAIL;
}
Expand Down

0 comments on commit a20a5df

Please sign in to comment.