From d6befb355458603ce91b3f865c56e139fa338fed Mon Sep 17 00:00:00 2001 From: Mallikarjun Kamble Date: Wed, 10 Jul 2024 17:37:35 +0530 Subject: [PATCH] svcdec: Fix fuzzer bitstream timeout by adding check for non-VCL NAL calls Bug = ossfuzz:67415 Test: svc_dec_fuzzer --- decoder/svc/isvcd_nal.c | 7 ++++++- decoder/svc/isvcd_nal.h | 2 +- decoder/svc/isvcd_nal_parse.c | 4 ++-- 3 files changed, 9 insertions(+), 4 deletions(-) diff --git a/decoder/svc/isvcd_nal.c b/decoder/svc/isvcd_nal.c index a41c2425..9807cace 100644 --- a/decoder/svc/isvcd_nal.c +++ b/decoder/svc/isvcd_nal.c @@ -308,7 +308,7 @@ WORD32 isvcd_get_first_start_code(UWORD8 *pu1_stream_buffer, UWORD32 *pu4_bytes_ WORD32 isvcd_get_annex_b_nal_unit(UWORD8 *pu1_buf_start, WORD32 i4_cur_pos, WORD32 i4_max_num_bytes, WORD32 *pi4_state, WORD32 *pi4_zero_byte_cnt, UWORD32 *pu4_bytes_consumed, void *pv_nal_unit, - WORD32 *pi4_more_data_flag) + WORD32 *pi4_more_data_flag, WORD32 flags) { nal_unit_t *ps_nal_unit = (nal_unit_t *) pv_nal_unit; WORD32 i4_status, i4_nal_start_flag = SVCD_FALSE; @@ -369,6 +369,11 @@ WORD32 isvcd_get_annex_b_nal_unit(UWORD8 *pu1_buf_start, WORD32 i4_cur_pos, WORD ps_nal_unit->i4_buf_sizes = *pu4_bytes_consumed; *pi4_more_data_flag = SVCD_FALSE; + if (flags && ((i4_max_num_bytes - i4_cur_pos) == *pu4_bytes_consumed)) + { + i4_nal_start_flag = SVCD_FALSE; + } + return (i4_nal_start_flag); } else diff --git a/decoder/svc/isvcd_nal.h b/decoder/svc/isvcd_nal.h index 7d9f857b..35e97e0e 100644 --- a/decoder/svc/isvcd_nal.h +++ b/decoder/svc/isvcd_nal.h @@ -191,7 +191,7 @@ WORD32 isvcd_nal_find_start_code(UWORD8 *pu1_buf_start, WORD32 i4_cur_pos, WORD3 WORD32 isvcd_get_annex_b_nal_unit(UWORD8 *pu1_buf_start, WORD32 i4_cur_pos, WORD32 i4_max_num_bytes, WORD32 *pi4_state, WORD32 *pi4_zero_byte_cnt, UWORD32 *pu4_bytes_consumed, void *pv_nal_unit, - WORD32 *pi4_more_data_flag); + WORD32 *pi4_more_data_flag, WORD32 flags); void isvcd_reset_emulation_ctxt(void *pv_emulation_ctxt); diff --git a/decoder/svc/isvcd_nal_parse.c b/decoder/svc/isvcd_nal_parse.c index 3dbdb9c1..01a23c47 100644 --- a/decoder/svc/isvcd_nal_parse.c +++ b/decoder/svc/isvcd_nal_parse.c @@ -1852,7 +1852,7 @@ WORD32 isvcd_nal_parse_vcl_nal_partial(void *pv_nal_parse_ctxt, UWORD8 *pu1_stre i4_nal_start_flag = isvcd_get_annex_b_nal_unit( pu1_stream_buffer, i4_cur_pos, *pu4_num_bytes, &ps_nal_parse_ctxt->i4_find_nal_state, &ps_nal_parse_ctxt->i4_zero_byte_cnt, - &u4_bytes_consumed_temp, ps_nal_parse_ctxt->pv_nal_unit, &i4_more_data_flag); + &u4_bytes_consumed_temp, ps_nal_parse_ctxt->pv_nal_unit, &i4_more_data_flag, 0); i4_cur_pos += u4_bytes_consumed_temp; } @@ -2264,7 +2264,7 @@ WORD32 isvcd_nal_parse_non_vcl_nal(void *pv_nal_parse_ctxt, UWORD8 *pu1_stream_b i4_nal_start_flag = isvcd_get_annex_b_nal_unit( pu1_stream_buffer, i4_cur_pos, *pu4_num_bytes, &ps_nal_parse_ctxt->i4_find_nal_state, &ps_nal_parse_ctxt->i4_zero_byte_cnt, - &u4_bytes_consumed_temp, ps_nal_parse_ctxt->pv_nal_unit, &i4_more_data_flag); + &u4_bytes_consumed_temp, ps_nal_parse_ctxt->pv_nal_unit, &i4_more_data_flag, 1); i4_cur_pos += u4_bytes_consumed_temp; }