diff options
author | Ashwin Natesan <ashwin.natesan@ittiam.com> | 2024-02-26 14:02:06 +0530 |
---|---|---|
committer | Harish Mahendrakar <harish.mahendrakar@ittiam.com> | 2024-05-07 11:48:55 -0700 |
commit | 72315c11ac595a73d3b629cc36647327156d5875 (patch) | |
tree | 00ceab08f604b516784e7064830d4bb90322c34f | |
parent | 828cdb77ba434eb11ce19f7f0d4482e744b27064 (diff) | |
download | libavc-upstream-main.tar.gz |
mvcdec: Heap overflow in 'ih264d_read_coeff4x4_cabac'upstream-main
In some erroneous fuzzer bistreams, the slice data requires more
parsing than what was implied by the distance between successive
start codes. The primary culprit is the NEXTBITS macro which requires
reading 4 additional bytes of the bitstream buffer. To alleviate
this, 4 bytes per 4x4 TU have been additionally allocated to the
bitstream buffer.
Bug = ossfuzz:66989
Test: mvc_dec_fuzzer
-rw-r--r-- | decoder/mvc/imvcd_api.c | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/decoder/mvc/imvcd_api.c b/decoder/mvc/imvcd_api.c index 1026fc8..4b1876b 100644 --- a/decoder/mvc/imvcd_api.c +++ b/decoder/mvc/imvcd_api.c @@ -733,7 +733,13 @@ static IV_API_CALL_STATUS_T imvcd_view_decode(iv_obj_t *ps_dec_hdl, imvcd_video_ if(i4_nalu_length) { - UWORD32 u4_nalu_buf_size = ((UWORD32) i4_nalu_length) + 8; + /* In some erroneous fuzzer bistreams, the slice data requires more + parsing than what was implied by the distance between successive + start codes.The primary culprit is the NEXTBITS macro which requires + reading 4 additional bytes of the bitstream buffer.To alleviate + this, 4 bytes per 4x4 TU have been additionally allocated to the + bitstream buffer. */ + UWORD32 u4_nalu_buf_size = ((UWORD32) i4_nalu_length) + 8 + 4 * 16; if(u4_nalu_buf_size > u4_bitstream_buf_size) { |