[FFmpeg-devel] [PATCH 1/2] avcodec/hevc_ps: Fix integer overflow with num_tile_rows and num_tile_columns

Michael Niedermayer michael at niedermayer.cc
Wed Jun 26 15:41:17 EEST 2019 

On Tue, Jun 25, 2019 at 10:30:45AM -0300, James Almer wrote:
> On 6/25/2019 5:55 AM, Michael Niedermayer wrote:
> > Fixes: signed integer overflow: -2147483648 - 1 cannot be represented in type 'int'
> > Fixes: 14880/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-5130977304641536
> > 
> > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> > Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> > ---
> >  libavcodec/hevc_ps.c | 23 +++++++++++++----------
> >  libavcodec/hevc_ps.h |  4 ++--
> >  2 files changed, 15 insertions(+), 12 deletions(-)
> > 
> > diff --git a/libavcodec/hevc_ps.c b/libavcodec/hevc_ps.c
> > index 80df417e4f..07d220a5c8 100644
> > --- a/libavcodec/hevc_ps.c
> > +++ b/libavcodec/hevc_ps.c
> > @@ -1584,22 +1584,25 @@ int ff_hevc_decode_nal_pps(GetBitContext *gb, AVCodecContext *avctx,
> >      pps->entropy_coding_sync_enabled_flag = get_bits1(gb);
> >  
> >      if (pps->tiles_enabled_flag) {
> > -        pps->num_tile_columns = get_ue_golomb_long(gb) + 1;
> > -        pps->num_tile_rows    = get_ue_golomb_long(gb) + 1;
> > -        if (pps->num_tile_columns <= 0 ||
> > -            pps->num_tile_columns >= sps->width) {
> > +        int num_tile_columns_minus1 = get_ue_golomb(gb);
> > +        int num_tile_rows_minus1    = get_ue_golomb(gb);
> > +
> > +        if (num_tile_columns_minus1 < 0 ||
> 
> num_tile_columns_minus1 can never be < 0 for an int now that you're
> using get_ue_golomb(gb). It returns values from 0 to 8190.
> Add an av_assert0, at most. A value < 0 would mean there's a huge bug in
> golomb.h, and not invalid bitstream data.
> 
> And since you got rid of the "- 1" calculation below, which was your
> original concern, you could also just make this unsigned. There's really
> no need for an int at all.

If you look at get_ue_golomb() in golomb.h
static inline int get_ue_golomb(GetBitContext *gb)
...
there is a case that does:
    return AVERROR_INVALIDDATA;
    
That is a negative value an should be checked for before
truncating to uint8_t. There is no gurantee that error codes
when cast to uint8_t would not map to valid values.

also i belive that returning an error in cases that are
outside 0 to 8190 is the correct thing to do, so the
implementation which returns this appears to do the correct
thing to me.

Thanks

[...]


-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

The smallest minority on earth is the individual. Those who deny 
individual rights cannot claim to be defenders of minorities. - Ayn Rand
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: not available
URL: <http://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20190626/0592435d/attachment.sig>

More information about the ffmpeg-devel mailing list