wrapper/FFmpeg
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

cbs_apv: Check tile component sizes

Browse source 
It was possible for the buffer pointers for the last tile to go over the
end of the unit buffer leading to a read overflow during decode of the
macroblock layer.  Check all tile component sizes to prevent this case
and also catch related tile size mismatch errors earlier.
This commit is contained in:
Mark Thompson 2025-05-03 18:45:33 +01:00
parent ea457e54e1
commit 9bf54cdb19
1 changed files with 12 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

17
libavcodec/cbs_apv_syntax_template.c
View file

@ -189,10 +189,12 @@ static int FUNC(frame_header)(CodedBitstreamContext *ctx, RWContext *rw,
}
static int FUNC(tile_header)(CodedBitstreamContext *ctx, RWContext *rw,
APVRawTileHeader *current, int tile_idx)
APVRawTileHeader *current,
int tile_idx, uint32_t tile_size)
{
const CodedBitstreamAPVContext *priv = ctx->priv_data;
uint16_t expected_tile_header_size;
uint32_t tile_size_remaining;
uint8_t max_qp;
int err;
@ -203,8 +205,10 @@ static int FUNC(tile_header)(CodedBitstreamContext *ctx, RWContext *rw,
u(16, tile_index, tile_idx, tile_idx);
tile_size_remaining = tile_size - current->tile_header_size;
for (int c = 0; c < priv->num_comp; c++) {
us(32, tile_data_size[c], 1, MAX_UINT_BITS(32), 1, c);
us(32, tile_data_size[c], 1, tile_size_remaining, 1, c);
tile_size_remaining -= current->tile_data_size[c];
}
max_qp = 3 + priv->bit_depth * 6;
@ -218,12 +222,14 @@ static int FUNC(tile_header)(CodedBitstreamContext *ctx, RWContext *rw,
}
static int FUNC(tile)(CodedBitstreamContext *ctx, RWContext *rw,
APVRawTile *current, int tile_idx)
APVRawTile *current,
int tile_idx, uint32_t tile_size)
{
const CodedBitstreamAPVContext *priv = ctx->priv_data;
int err;
CHECK(FUNC(tile_header)(ctx, rw, &current->tile_header, tile_idx));
CHECK(FUNC(tile_header)(ctx, rw, &current->tile_header,
tile_idx, tile_size));
for (int c = 0; c < priv->num_comp; c++) {
uint32_t comp_size = current->tile_header.tile_data_size[c];
@ -257,7 +263,8 @@ static int FUNC(frame)(CodedBitstreamContext *ctx, RWContext *rw,
for (int t = 0; t < priv->tile_info.num_tiles; t++) {
us(32, tile_size[t], 10, MAX_UINT_BITS(32), 1, t);
CHECK(FUNC(tile)(ctx, rw, &current->tile[t], t));
CHECK(FUNC(tile)(ctx, rw, &current->tile[t],
t, current->tile_size[t]));
}
CHECK(FUNC(filler)(ctx, rw, &current->filler));