In some erroneous fuzzer bistreams, the slice data requires more
parsing than what was implied by the distance between successive
start codes. The primary culprit is the NEXTBITS macro which requires
reading 4 additional bytes of the bitstream buffer. To alleviate
this, 16 bytes per 4x4 TU have been additionally allocated to the
bitstream buffer. Also, chroma bytes are added for 4:2:0/4:2:2.
This is in reference to commit-72315c1, where additional bytes were added to fix similar issue.
Bug = ossfuzz:42538616
Test: mvc_dec_fuzzer
In some erroneous fuzzer bistreams, the slice data requires more
parsing than what was implied by the distance between successive
start codes. The primary culprit is the NEXTBITS macro which requires
reading 4 additional bytes of the bitstream buffer. To alleviate
this, 4 bytes per 4x4 TU have been additionally allocated to the
bitstream buffer.
Bug = ossfuzz:66989
Test: mvc_dec_fuzzer
Although the fag end of both the NALU and the bitstream buffer
is being parsed, not all FGC SEI symbols would have been
decoded semantically. This commit detects and returns an error
in this situation.
Bug = ossfuzz:65418
Test: mvc_dec_fuzzer
There can be cases where there are multiple SEI payloads within a
single SEI NAL. In the particulkar case where the payload comprises
exclusiely of FGC data, the size of the NAL can exceed the size
of the 'dynamic bitstream buffer' which is used to pass the NALU
onto its appropriate parser.
This commit adds 'imvcd_bitstream_buf_realloc' which re-allocates
the 'dynamic bitstream buffer' such that any arbitrarily sized
NALU can be stored without a heap overflow.
Bug = ossfuzz:64286
Test: svc_enc_fuzzer
The cases where the value for log2MaxPocLsb was exceeding
'MAX_BITS_IN_POC_LSB' was not being handled correctly,
which was resulting in an integer overflow. This has been
fixed.
Test: mvc_dec_fuzzer
[x] For certain sequences of modification_of_pic_nums_idc,
OOB accessses of the aps_mod_dpb buffer within mvc_dpb_manager_t
struct could occur. This case has been now detected
and handled.
[x] Removed unused variables in 'imvcd_slice_functions.c'.
Test: mvc_dec_fuzzer
The worst case FGC SEI payload size in cojunction with the worst
case sizes of other NALU's can be significantly larger than the
default bitstream buffer size of 256000. It is now set to the sum
of 256000 and MAX_FGC_SEI_SIZE.
Bug: ossFuzz:58190
Test: mvc_dec_fuzzer
The logic for inserting long term refs was failing
when the new ltIdx was greater than any of the
existing ltIdx in the DPB
Bug: 242723830
Test: fuzzer poc in bug
Change-Id: Iea9d71e563910a884ddfc2ddc6d6ab2b32581fde
abs_diff_view_idx_minus1 is present in NALU with NALUID=20
within ref_pic_list_mvc_modification
Bug: 242723830
Test: fuzzer poc in bug
Change-Id: I6ff31b3294cd01484712eebdb6bff1e336f06e38
Corrected checks for number of views and view id
when parsing SPS in MVC decode
Bug: 241865791
Bug: 241867454
Test: fuzzer poc in the bugs
Change-Id: I8241de5c28ddbfebdb639852cf647df5e0a9487b
Added support for decoding 'Multiview High' profile, corresponding to
profile_idc of 118 in 'Rec. ITU-T H.264 (08/2021)'.
Bug: 232169767
Test: atest CtsMediaV2TestCases
Change-Id: I63256344a8a205e74f2bcebe555f5ba6cc3163d0
