wrapper/libavc
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

svcdec: Ensure decoder display dimensions match subset sequence dimensions

Browse source 
- Fixes for heap buffer overflow

Bug = ossfuzz:68807, ossfuzz:69682
Test: svc_dec_fuzzer
This commit is contained in:
Mallikarjun Kamble 2024-07-09 17:24:32 +05:30 committed by Harish Mahendrakar
parent 72315c11ac
commit b0117e32b9
1 changed files with 12 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

12
decoder/svc/isvcd_parse_slice.c
View file

@ -766,6 +766,12 @@ WORD32 isvcd_parse_decode_slice_ext_nal(UWORD8 u1_is_idr_slice, UWORD8 u1_nal_re
if(ps_dec->u2_frm_ht_in_mbs != ps_seq->u2_frm_ht_in_mbs) return ERROR_INV_SLICE_HDR_T;
}
if(ps_dec->u1_init_dec_flag == 1)
{
if(ps_dec->u2_disp_height != ps_subset_seq->u2_disp_height) return ERROR_INV_SLICE_HDR_T;
if(ps_dec->u2_disp_width != ps_subset_seq->u2_disp_width) return ERROR_INV_SLICE_HDR_T;
}
ps_dec->i4_reorder_depth = ps_subset_seq->i4_reorder_depth;
ps_dec->u2_disp_height = ps_subset_seq->u2_disp_height;
@ -2004,6 +2010,12 @@ WORD32 isvcd_parse_decode_slice(UWORD8 u1_is_idr_slice, UWORD8 u1_nal_ref_idc,
if(ps_dec->u2_frm_ht_in_mbs != ps_seq->u2_frm_ht_in_mbs) return ERROR_INV_SLICE_HDR_T;
}
if(ps_dec->u1_init_dec_flag == 1)
{
if(ps_dec->u2_disp_height != ps_subset_seq->u2_disp_height) return ERROR_INV_SLICE_HDR_T;
if(ps_dec->u2_disp_width != ps_subset_seq->u2_disp_width) return ERROR_INV_SLICE_HDR_T;
}
if(ps_seq->u1_profile_idc == BASE_PROFILE_IDC)
{
if(ps_pps->u1_entropy_coding_mode != 0)