mvcdec: Heap overflow in 'ih264d_parse_fgc'

Although the fag end of both the NALU and the bitstream buffer is being parsed, not all FGC SEI symbols would have been decoded semantically. This commit detects and returns an error in this situation. Bug = ossfuzz:65418 Test: mvc_dec_fuzzer
ittiam-systems · Jan 17, 2024 · 0061f15 · 0061f15
1 parent 28727ba
commit 0061f15
Show file tree

Hide file tree

Showing 4 changed files with 51 additions and 1 deletion.
diff --git a/decoder/ih264d_bitstrm.c b/decoder/ih264d_bitstrm.c
@@ -179,3 +179,33 @@ UWORD8 ih264d_check_byte_aligned(dec_bit_stream_t * ps_bitstrm)
     else
         return (1);
 }
+
+/*!
+ **************************************************************************
+ * \if Function name : ih264d_is_sev \endif
+ *
+ * \brief Interprets 'u4_max_symbol_size' number of bits as using SEV and
+          checks if it is a valid SEV.
+ *
+ * \param ps_bitstrm : Pointer to bitstream
+ * \param u4_max_symbol_size : Maximum number of bits to parse
+ *
+ * \return
+ *    Returns 1 if the next set of bits is a valid SEV. 0 otherwise
+ **************************************************************************
+ */
+UWORD8 ih264d_is_sev(const dec_bit_stream_t *ps_bitstrm, const UWORD32 u4_max_symbol_size)
+{
+    UWORD32 u4_word, u4_ldz, u4_abs_val;
+
+    UWORD32 *pu4_bitstrm_buf = ps_bitstrm->pu4_buffer;
+    UWORD32 u4_bitstream_offset = ps_bitstrm->u4_ofst;
+
+    /***************************************************************/
+    /* Find leading zeros in next 32 bits                          */
+    /***************************************************************/
+    NEXTBITS_32(u4_word, u4_bitstream_offset, pu4_bitstrm_buf);
+    u4_ldz = CLZ(u4_word);
+
+    return (u4_max_symbol_size >= (2 * u4_ldz + 1));
+}
diff --git a/decoder/ih264d_bitstrm.h b/decoder/ih264d_bitstrm.h
@@ -73,6 +73,8 @@ UWORD32 ih264d_next_bits_h264(dec_bit_stream_t *, UWORD32);
 /* To flush a specified number of bits*/
 WORD32 ih264d_flush_bits_h264(dec_bit_stream_t *, WORD32);
 
+UWORD8 ih264d_is_sev(const dec_bit_stream_t *ps_bitstrm, const UWORD32 u4_max_symbol_size);
+
 /*!
  **************************************************************************
  * \if Function name : MoreRbspData \endif

diff --git a/decoder/ih264d_sei.c b/decoder/ih264d_sei.c
@@ -853,6 +853,14 @@ WORD32 ih264d_parse_fgc(dec_bit_stream_t *ps_bitstrm, dec_struct_t *ps_dec,
 
                 for(i = 0; i <= ps_sei->s_sei_fgc_params.au1_num_intensity_intervals_minus1[c]; i++)
                 {
+                    /* Although the fag end of both the NALU and the bitstream buffer */
+                    /* is being parsed, not all FGC SEI symbols would have been */
+                    /* decoded semantically. The code below detects this condition */
+                    if((ps_bitstrm->u4_ofst + 8 + 8) >= ps_bitstrm->u4_max_ofst)
+                    {
+                        return ERROR_INV_SEI_FGC_PARAMS;
+                    }
+
                     ps_sei->s_sei_fgc_params.au1_intensity_interval_lower_bound[c][i] =
                         (UWORD8) ih264d_get_bits_h264(ps_bitstrm, 8);
 
@@ -861,6 +869,15 @@ WORD32 ih264d_parse_fgc(dec_bit_stream_t *ps_bitstrm, dec_struct_t *ps_dec,
 
                     for(j = 0; j <= ps_sei->s_sei_fgc_params.au1_num_model_values_minus1[c]; j++)
                     {
+                        /* Although the fag end of both the NALU and the bitstream buffer */
+                        /* is being parsed, not all FGC SEI symbols would have been */
+                        /* decoded semantically. The code below detects this condition */
+                        if(!ih264d_is_sev(ps_bitstrm,
+                                          ps_bitstrm->u4_max_ofst - ps_bitstrm->u4_ofst))
+                        {
+                            return ERROR_INV_SEI_FGC_PARAMS;
+                        }
+
                         ps_sei->s_sei_fgc_params.ai4_comp_model_value[c][i][j] =
                             (WORD32) ih264d_sev(pu4_bitstrm_ofst, pu4_bitstrm_buf);
                         if(0 == ps_sei->s_sei_fgc_params.u1_film_grain_model_id)

diff --git a/examples/avcdec/avcdec.cmake b/examples/avcdec/avcdec.cmake
@@ -1,2 +1,3 @@
-libavc_add_executable(avcdec libavcdec SOURCES ${AVC_ROOT}/examples/avcdec/main.c)
+libavc_add_executable(avcdec libavcdec SOURCES
+                      ${AVC_ROOT}/examples/avcdec/main.c ${MD5_SOURCES})
 target_compile_definitions(avcdec PRIVATE PROFILE_ENABLE MD5_DISABLE)