svcenc: Integer overflow in irc_ba_get_cur_frm_est_texture_bits

'ISVCE_CMD_CTL_SET_DIMENSIONS' is expected to occur before 'ISVCE_CMD_CTL_SET_FRAMERATE'. This is necesssary since 'isvce_rc_init' initialises the frame_time_t struct used by 'ih264e_frame_time_update_src_frame_rate'. This state was not being handled correctly, and consequently, many of the computations in RC were using incorrectly initialised values for frame rate. This was resulting in signed integer overflow of 'i4_est_texture_bits_for_frm'. Bug = ossfuzz:63175 Test: svc_enc_fuzzer
ittiam-systems · Oct 26, 2023 · a97b0cc · a97b0cc
1 parent 196f0db
commit a97b0cc
Show file tree

Hide file tree

Showing 3 changed files with 52 additions and 9 deletions.
diff --git a/encoder/svc/isvce_encode.c b/encoder/svc/isvce_encode.c
@@ -249,9 +249,7 @@ WORD32 isvce_encode(iv_obj_t *ps_codec_obj, void *pv_api_ip, void *pv_api_op)
                             ps_video_encode_op->s_ive_op.u4_error_code, IV_FAIL);
     }
 
-    error_status =
-        isvce_svc_frame_params_validate(ps_codec->s_rate_control.apps_rate_control_api,
-                                        ps_codec->s_cfg.s_svc_params.u1_num_spatial_layers);
+    error_status = isvce_svc_frame_params_validate(ps_codec, ps_video_encode_ip);
     SET_ERROR_ON_RETURN(error_status, IVE_FATALERROR, ps_video_encode_op->s_ive_op.u4_error_code,
                         IV_FAIL);
 

diff --git a/encoder/svc/isvce_utils.c b/encoder/svc/isvce_utils.c
@@ -532,6 +532,19 @@ WORD32 isvce_svc_rc_params_validate(isvce_cfg_params_t *ps_cfg)
 {
     WORD32 i;
 
+    for(i = 0; i < ps_cfg->s_svc_params.u1_num_spatial_layers; i++)
+    {
+        if(0 == ps_cfg->au4_target_bitrate[i])
+        {
+            return IH264E_BITRATE_NOT_SUPPORTED;
+        }
+
+        if((0 == ps_cfg->u4_tgt_frame_rate) || (0 == ps_cfg->u4_src_frame_rate))
+        {
+            return IH264E_FRAME_RATE_NOT_SUPPORTED;
+        }
+    }
+
     /* RC requires total bits in a second to fit int32_t */
     for(i = 0; i < ps_cfg->s_svc_params.u1_num_spatial_layers; i++)
     {
@@ -558,16 +571,48 @@ WORD32 isvce_svc_rc_params_validate(isvce_cfg_params_t *ps_cfg)
 *
 *******************************************************************************
 */
-WORD32 isvce_svc_frame_params_validate(
-    rate_control_api_t *aps_rate_control_api[MAX_NUM_SPATIAL_LAYERS], UWORD8 u1_num_spatial_layers)
+WORD32 isvce_svc_frame_params_validate(isvce_codec_t *ps_codec,
+                                       isvce_video_encode_ip_t *ps_video_encode_ip)
 {
+    rate_control_api_t **pps_rate_control_api = ps_codec->s_rate_control.apps_rate_control_api;
+
+    UWORD8 u1_num_spatial_layers = ps_codec->s_cfg.s_svc_params.u1_num_spatial_layers;
+
     WORD32 i;
 
+    /* 'ISVCE_CMD_CTL_SET_DIMENSIONS' is expected to occur before 'ISVCE_CMD_CTL_SET_FRAMERATE' */
+    /* This is necesssary since 'isvce_rc_init' initialises the frame_time_t struct used */
+    /* by 'ih264e_frame_time_update_src_frame_rate' */
+    for(i = 0; i < MAX_ACTIVE_CONFIG_PARAMS; i++)
+    {
+        isvce_cfg_params_t *ps_cfg = &ps_codec->as_cfg[i];
+        bool b_set_dim_encountered = false;
+
+        if(ps_cfg->u4_is_valid)
+        {
+            if(((ps_cfg->u4_timestamp_high == ps_video_encode_ip->s_ive_ip.u4_timestamp_high) &&
+                (ps_cfg->u4_timestamp_low == ps_video_encode_ip->s_ive_ip.u4_timestamp_low)) ||
+               ((WORD32) ps_cfg->u4_timestamp_high == -1) ||
+               ((WORD32) ps_cfg->u4_timestamp_low == -1))
+            {
+                if(!b_set_dim_encountered && (ISVCE_CMD_CTL_SET_FRAMERATE == ps_cfg->e_cmd))
+                {
+                    return IH264E_INIT_NOT_DONE;
+                }
+
+                if(ISVCE_CMD_CTL_SET_DIMENSIONS == ps_cfg->e_cmd)
+                {
+                    b_set_dim_encountered = true;
+                }
+            }
+        }
+    }
+
     /* RC requires total bits in a second to fit int32_t */
     for(i = 0; i < u1_num_spatial_layers; i++)
     {
-        if((((UWORD64) irc_get_bits_per_frame(aps_rate_control_api[i])) *
-            irc_get_intra_frame_interval(aps_rate_control_api[i])) > ((UWORD64) INT32_MAX))
+        if((((UWORD64) irc_get_bits_per_frame(pps_rate_control_api[i])) *
+            irc_get_intra_frame_interval(pps_rate_control_api[i])) > ((UWORD64) INT32_MAX))
         {
             return IH264E_BITRATE_NOT_SUPPORTED;
         }

diff --git a/encoder/svc/isvce_utils.h b/encoder/svc/isvce_utils.h
@@ -182,8 +182,8 @@ extern WORD32 isvce_svc_inp_params_validate(isvce_init_ip_t *ps_ip, isvce_cfg_pa
 
 extern WORD32 isvce_svc_rc_params_validate(isvce_cfg_params_t *ps_cfg);
 
-extern WORD32 isvce_svc_frame_params_validate(
-    rate_control_api_t *aps_rate_control_api[MAX_NUM_SPATIAL_LAYERS], UWORD8 u1_num_spatial_layers);
+extern WORD32 isvce_svc_frame_params_validate(isvce_codec_t *ps_codec,
+                                              isvce_video_encode_ip_t *ps_video_encode_ip);
 
 extern WORD32 isvce_get_total_svc_au_buf_size(svc_inp_params_t *ps_svc_inp_params,
                                               WORD32 i4_pic_size, WORD32 i4_level,