svcdec: Fix fuzzer bitstream timeout by adding check for non-VCL NAL …

…calls Bug = ossfuzz:67415 Test: svc_dec_fuzzer
ittiam-systems · Jul 10, 2024 · d6befb3 · d6befb3
1 parent debc80f
commit d6befb3
Show file tree

Hide file tree

Showing 3 changed files with 9 additions and 4 deletions.
diff --git a/decoder/svc/isvcd_nal.c b/decoder/svc/isvcd_nal.c
@@ -308,7 +308,7 @@ WORD32 isvcd_get_first_start_code(UWORD8 *pu1_stream_buffer, UWORD32 *pu4_bytes_
 WORD32 isvcd_get_annex_b_nal_unit(UWORD8 *pu1_buf_start, WORD32 i4_cur_pos, WORD32 i4_max_num_bytes,
                                   WORD32 *pi4_state, WORD32 *pi4_zero_byte_cnt,
                                   UWORD32 *pu4_bytes_consumed, void *pv_nal_unit,
-                                  WORD32 *pi4_more_data_flag)
+                                  WORD32 *pi4_more_data_flag, WORD32 flags)
 {
     nal_unit_t *ps_nal_unit = (nal_unit_t *) pv_nal_unit;
     WORD32 i4_status, i4_nal_start_flag = SVCD_FALSE;
@@ -369,6 +369,11 @@ WORD32 isvcd_get_annex_b_nal_unit(UWORD8 *pu1_buf_start, WORD32 i4_cur_pos, WORD
         ps_nal_unit->i4_buf_sizes = *pu4_bytes_consumed;
         *pi4_more_data_flag = SVCD_FALSE;
 
+        if (flags && ((i4_max_num_bytes - i4_cur_pos) == *pu4_bytes_consumed))
+        {
+            i4_nal_start_flag = SVCD_FALSE;
+        }
+
         return (i4_nal_start_flag);
     }
     else

diff --git a/decoder/svc/isvcd_nal.h b/decoder/svc/isvcd_nal.h
@@ -191,7 +191,7 @@ WORD32 isvcd_nal_find_start_code(UWORD8 *pu1_buf_start, WORD32 i4_cur_pos, WORD3
 WORD32 isvcd_get_annex_b_nal_unit(UWORD8 *pu1_buf_start, WORD32 i4_cur_pos, WORD32 i4_max_num_bytes,
                                   WORD32 *pi4_state, WORD32 *pi4_zero_byte_cnt,
                                   UWORD32 *pu4_bytes_consumed, void *pv_nal_unit,
-                                  WORD32 *pi4_more_data_flag);
+                                  WORD32 *pi4_more_data_flag, WORD32 flags);
 
 void isvcd_reset_emulation_ctxt(void *pv_emulation_ctxt);
 

diff --git a/decoder/svc/isvcd_nal_parse.c b/decoder/svc/isvcd_nal_parse.c
@@ -1852,7 +1852,7 @@ WORD32 isvcd_nal_parse_vcl_nal_partial(void *pv_nal_parse_ctxt, UWORD8 *pu1_stre
             i4_nal_start_flag = isvcd_get_annex_b_nal_unit(
                 pu1_stream_buffer, i4_cur_pos, *pu4_num_bytes,
                 &ps_nal_parse_ctxt->i4_find_nal_state, &ps_nal_parse_ctxt->i4_zero_byte_cnt,
-                &u4_bytes_consumed_temp, ps_nal_parse_ctxt->pv_nal_unit, &i4_more_data_flag);
+                &u4_bytes_consumed_temp, ps_nal_parse_ctxt->pv_nal_unit, &i4_more_data_flag, 0);
 
             i4_cur_pos += u4_bytes_consumed_temp;
         }
@@ -2264,7 +2264,7 @@ WORD32 isvcd_nal_parse_non_vcl_nal(void *pv_nal_parse_ctxt, UWORD8 *pu1_stream_b
             i4_nal_start_flag = isvcd_get_annex_b_nal_unit(
                 pu1_stream_buffer, i4_cur_pos, *pu4_num_bytes,
                 &ps_nal_parse_ctxt->i4_find_nal_state, &ps_nal_parse_ctxt->i4_zero_byte_cnt,
-                &u4_bytes_consumed_temp, ps_nal_parse_ctxt->pv_nal_unit, &i4_more_data_flag);
+                &u4_bytes_consumed_temp, ps_nal_parse_ctxt->pv_nal_unit, &i4_more_data_flag, 1);
 
             i4_cur_pos += u4_bytes_consumed_temp;
         }