[FFmpeg-devel] [PATCH 2/3] avcodec/cbs_h266_syntax_template: sanity check num_multi_layer_olss

Michael Niedermayer michael at niedermayer.cc
Sun Jan 28 01:56:55 EET 2024 

On Sat, Jan 27, 2024 at 09:25:16AM -0300, James Almer wrote:
> On 1/26/2024 6:46 PM, Michael Niedermayer wrote:
> > It is not possible to encode a index into an empty list. Thus
> > this must be invalid at this point or before.
> > Its likely a broader earlier check can be used here, someone knowing
> > VVC should look at that. Its not immedeatly obvious from the spec
> > by looking for numlayerolss
> 
> Can you check if the following fixes it?
> 
> > diff --git a/libavcodec/cbs_h266_syntax_template.c b/libavcodec/cbs_h266_syntax_template.c
> > index 549d021211..40572dadb5 100644
> > --- a/libavcodec/cbs_h266_syntax_template.c
> > +++ b/libavcodec/cbs_h266_syntax_template.c
> > @@ -793,6 +793,7 @@ static int FUNC(vps) (CodedBitstreamContext *ctx, RWContext *rw,
> >      {
> >          //calc NumMultiLayerOlss
> >          int m;
> > +        int num_layers_in_ols = 0;
> >          uint8_t dependency_flag[VVC_MAX_LAYERS][VVC_MAX_LAYERS];
> >          uint16_t num_output_layers_in_ols[VVC_MAX_TOTAL_NUM_OLSS];
> >          uint8_t num_sub_layers_in_layer_in_ols[VVC_MAX_TOTAL_NUM_OLSS][VVC_MAX_TOTAL_NUM_OLSS];
> > @@ -895,7 +896,6 @@ static int FUNC(vps) (CodedBitstreamContext *ctx, RWContext *rw,
> >                  return AVERROR_INVALIDDATA;
> >          }
> >          for (i = 1; i < total_num_olss; i++) {
> > -            int num_layers_in_ols = 0;
> >              if (current->vps_each_layer_is_an_ols_flag) {
> >                  num_layers_in_ols = 1;
> >              } else if (current->vps_ols_mode_idc == 0 ||
> 
> num_layers_in_ols is not meant to be reset on every loop.

replacing my patch by yours does not change
num_multi_layer_olss from being 0
and if its 0 then "num_multi_layer_olss - 1" causes problems as a limit

more precissely this:
i can also send you the file if you want?


tools/target_bsf_vvc_metadata_fuzzer: Running 1 inputs 1 time(s) each.
Running: /home/michael/libfuzz-repro/65160/clusterfuzz-testcase-minimized-ffmpeg_BSF_VVC_METADATA_fuzzer-4665241535119360
libavcodec/cbs_h266_syntax_template.c:1001:21: runtime error: index 257 out of bounds for type 'uint8_t [257]'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior libavcodec/cbs_h266_syntax_template.c:1001:21 in
libavcodec/cbs_h266_syntax_template.c:1004:38: runtime error: index 257 out of bounds for type 'uint8_t [257]'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior libavcodec/cbs_h266_syntax_template.c:1004:38 in
=================================================================
==29823==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7ff104e7ca18 at pc 0x0000006a4fdb bp 0x7fffd376e7f0 sp 0x7fffd376e7e8
WRITE of size 1 at 0x7ff104e7ca18 thread T0
    #0 0x6a4fda in cbs_h266_read_vps libavcodec/cbs_h266_syntax_template.c:1001:21
    #1 0x5c87bc in cbs_h266_read_nal_unit libavcodec/cbs_h2645.c:1071:19
    #2 0x4ff3aa in cbs_read_fragment_content libavcodec/cbs.c:215:15
    #3 0x4ff3aa in cbs_read_data libavcodec/cbs.c:282
    #4 0x5a53ea in ff_cbs_bsf_generic_filter libavcodec/cbs_bsf.c:75:11
    #5 0x4c9b48 in LLVMFuzzerTestOneInput tools/target_bsf_fuzzer.c:154:16
    #6 0x138eb7d in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) Fuzzer/build/../FuzzerLoop.cpp:495:13
    #7 0x1383752 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) Fuzzer/build/../FuzzerDriver.cpp:273:6
    #8 0x1388951 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) Fuzzer/build/../FuzzerDriver.cpp:690:9
    #9 0x1383430 in main Fuzzer/build/../FuzzerMain.cpp:20:10
    #10 0x7ff10889ac86 in __libc_start_main /build/glibc-WcQU6j/glibc-2.27/csu/../csu/libc-start.c:310
    #11 0x41f429 in _start (tools/target_bsf_vvc_metadata_fuzzer+0x41f429)

0x7ff104e7ca18 is located 0 bytes to the right of 393752-byte region [0x7ff104e1c800,0x7ff104e7ca18)
allocated by thread T0 here:
    #0 0x497e47 in posix_memalign /b/swarming/w/ir/cache/builder/src/third_party/llvm/compiler-rt/lib/asan/asan_malloc_linux.cc:226:3
    #1 0x130d3a8 in av_malloc libavutil/mem.c:105:9
    #2 0x8fe1c5 in ff_refstruct_alloc_ext_c libavcodec/refstruct.c:109:11
    #3 0x50c2bb in ff_cbs_alloc_unit_content libavcodec/cbs.c:933:25
    #4 0x5c864f in cbs_h266_read_nal_unit libavcodec/cbs_h2645.c:1046:11
    #5 0x4ff3aa in cbs_read_fragment_content libavcodec/cbs.c:215:15
    #6 0x4ff3aa in cbs_read_data libavcodec/cbs.c:282
    #7 0x5a53ea in ff_cbs_bsf_generic_filter libavcodec/cbs_bsf.c:75:11
    #8 0x4c9b48 in LLVMFuzzerTestOneInput tools/target_bsf_fuzzer.c:154:16
    #9 0x138eb7d in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) Fuzzer/build/../FuzzerLoop.cpp:495:13
    #10 0x1383752 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) Fuzzer/build/../FuzzerDriver.cpp:273:6
    #11 0x1388951 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) Fuzzer/build/../FuzzerDriver.cpp:690:9
    #12 0x1383430 in main Fuzzer/build/../FuzzerMain.cpp:20:10
    #13 0x7ff10889ac86 in __libc_start_main /build/glibc-WcQU6j/glibc-2.27/csu/../csu/libc-start.c:310


[...]

-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Those who are best at talking, realize last or never when they are wrong.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <https://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20240128/d2384d75/attachment.sig>

More information about the ffmpeg-devel mailing list