[FFmpeg-cvslog] cbs_sei: Detect payload overflows when reading SEI messages

Mark Thompson git at videolan.org
Sat Mar 13 00:47:05 EET 2021 

ffmpeg | branch: master | Mark Thompson <sw at jkqxz.net> | Tue Feb  2 20:58:11 2021 +0000| [2c96e6cb955af3062e78c5b0f9fb907cfb2e59e3] | committer: Mark Thompson

cbs_sei: Detect payload overflows when reading SEI messages

The top-level GetBitContext is sized for the whole NAL unit, so it fails
to detect overflows where a payload continues into the following message.
To fix that, we make a new context on the stack for reading each payload.

Fixes: 29892/clusterfuzz-testcase-minimized-ffmpeg_BSF_H264_REDUNDANT_PPS_fuzzer-6310830956216320
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Tested-by: Michael Niedermayer <michael at niedermayer.cc>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=2c96e6cb955af3062e78c5b0f9fb907cfb2e59e3
---

 libavcodec/cbs_sei_syntax_template.c | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/libavcodec/cbs_sei_syntax_template.c b/libavcodec/cbs_sei_syntax_template.c
index 9114e61ff6..0ef7b42ed9 100644
--- a/libavcodec/cbs_sei_syntax_template.c
+++ b/libavcodec/cbs_sei_syntax_template.c
@@ -238,6 +238,7 @@ static int FUNC(message_list)(CodedBitstreamContext *ctx, RWContext *rw,
         uint32_t payload_type = 0;
         uint32_t payload_size = 0;
         uint32_t tmp;
+        GetBitContext payload_gbc;
 
         while (show_bits(rw, 8) == 0xff) {
             fixed(8, ff_byte, 0xff);
@@ -253,13 +254,27 @@ static int FUNC(message_list)(CodedBitstreamContext *ctx, RWContext *rw,
         xu(8, last_payload_size_byte, tmp, 0, 254, 0);
         payload_size += tmp;
 
+        // There must be space remaining for both the payload and
+        // the trailing bits on the SEI NAL unit.
+        if (payload_size + 1 > get_bits_left(rw) / 8) {
+            av_log(ctx->log_ctx, AV_LOG_ERROR,
+                   "Invalid SEI message: payload_size too large "
+                   "(%"PRIu32" bytes).\n", payload_size);
+            return AVERROR_INVALIDDATA;
+        }
+        CHECK(init_get_bits(&payload_gbc, rw->buffer,
+                            get_bits_count(rw) + 8 * payload_size));
+        skip_bits_long(&payload_gbc, get_bits_count(rw));
+
         CHECK(ff_cbs_sei_list_add(current));
         message = &current->messages[k];
 
         message->payload_type = payload_type;
         message->payload_size = payload_size;
 
-        CHECK(FUNC(message)(ctx, rw, message));
+        CHECK(FUNC(message)(ctx, &payload_gbc, message));
+
+        skip_bits_long(rw, 8 * payload_size);
 
         if (!cbs_h2645_read_more_rbsp_data(rw))
             break;

More information about the ffmpeg-cvslog mailing list