har0ke/FFmpeg
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

cbs_sei: Detect payload overflows when reading SEI messages

Browse Source 
The top-level GetBitContext is sized for the whole NAL unit, so it fails
to detect overflows where a payload continues into the following message.
To fix that, we make a new context on the stack for reading each payload.

Fixes: 29892/clusterfuzz-testcase-minimized-ffmpeg_BSF_H264_REDUNDANT_PPS_fuzzer-6310830956216320
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Tested-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
Mark Thompson 2021-02-02 20:58:11 +00:00
parent b128b0ce22
commit 2c96e6cb95
1 changed files with 16 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
libavcodec/cbs_sei_syntax_template.c
View File

@ -238,6 +238,7 @@ static int FUNC(message_list)(CodedBitstreamContext *ctx, RWContext *rw,
uint32_t payload_type = 0; uint32_t payload_type = 0;
uint32_t payload_size = 0; uint32_t payload_size = 0;
uint32_t tmp; uint32_t tmp;
GetBitContext payload_gbc;
while (show_bits(rw, 8) == 0xff) { while (show_bits(rw, 8) == 0xff) {
fixed(8, ff_byte, 0xff); fixed(8, ff_byte, 0xff);
@ -253,13 +254,27 @@ static int FUNC(message_list)(CodedBitstreamContext *ctx, RWContext *rw,
xu(8, last_payload_size_byte, tmp, 0, 254, 0); xu(8, last_payload_size_byte, tmp, 0, 254, 0);
payload_size += tmp; payload_size += tmp;
// There must be space remaining for both the payload and
// the trailing bits on the SEI NAL unit.
if (payload_size + 1 > get_bits_left(rw) / 8) {
av_log(ctx->log_ctx, AV_LOG_ERROR,
"Invalid SEI message: payload_size too large "
"(%"PRIu32" bytes).\n", payload_size);
return AVERROR_INVALIDDATA;
}
CHECK(init_get_bits(&payload_gbc, rw->buffer,
get_bits_count(rw) + 8 * payload_size));
skip_bits_long(&payload_gbc, get_bits_count(rw));
CHECK(ff_cbs_sei_list_add(current)); CHECK(ff_cbs_sei_list_add(current));
message = &current->messages[k]; message = &current->messages[k];
message->payload_type = payload_type; message->payload_type = payload_type;
message->payload_size = payload_size; message->payload_size = payload_size;
CHECK(FUNC(message)(ctx, rw, message)); CHECK(FUNC(message)(ctx, &payload_gbc, message));
skip_bits_long(rw, 8 * payload_size);
if (!cbs_h2645_read_more_rbsp_data(rw)) if (!cbs_h2645_read_more_rbsp_data(rw))
break; break;