[FFmpeg-devel] [PATCH] cbs_h2645: Fix infinite loop in more_rbsp_data

Mark Thompson sw at jkqxz.net
Sat Jul 20 16:39:55 EEST 2019 

On 05/06/2019 03:18, Andreas Rheinhardt wrote:
> cbs_h2645_read_more_rbsp_data does not handle malformed input very well:
> 1. If there were <= 8 bits left in the bitreader, these bits were read
> via show_bits. But show_bits requires the number of bits to be read to
> be > 0 (internally it shifts by 32 - number of bits to be read which is
> undefined behaviour if said number is zero; there is also an assert for
> this, but it is only an av_assert2). Furthermore, in this case a shift
> by -1 was performed which is of course undefined behaviour, too.
> 2. If there were > 0 and <= 8 bits left and all of them were zero
> (this can only happen for defective input), it was reported that there
> was further RBSP data.
> 
> This can lead to an infinite loop in H.265's cbs_h265_read_extension_data
> corresponding to the [vsp]ps_extension_data_flag syntax elements. If the
> relevant flag indicates the (potential) occurence of these syntax elements,
> while all bits after this flag are zero, cbs_h2645_read_more_rbsp_data
> always returns 1 on x86. Given that a checked bitstream reader is used,
> we are also not "saved" by an overflow in the bitstream reader's index.
> 
> Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
> ---
>  libavcodec/cbs_h2645.c | 6 ++++--
>  1 file changed, 4 insertions(+), 2 deletions(-)
> 
> diff --git a/libavcodec/cbs_h2645.c b/libavcodec/cbs_h2645.c
> index 0456937710..becb63a290 100644
> --- a/libavcodec/cbs_h2645.c
> +++ b/libavcodec/cbs_h2645.c
> @@ -328,9 +328,11 @@ static int cbs_h2645_read_more_rbsp_data(GetBitContext *gbc)
>      int bits_left = get_bits_left(gbc);
>      if (bits_left > 8)
>          return 1;
> -    if (show_bits(gbc, bits_left) == 1 << (bits_left - 1))
> +    if (bits_left == 0)
>          return 0;
> -    return 1;
> +    if (show_bits(gbc, bits_left) & MAX_UINT_BITS(bits_left - 1))
> +        return 1;
> +    return 0;
>  }
>  
>  #define more_rbsp_data(var) ((var) = cbs_h2645_read_more_rbsp_data(rw))
> 

Good catch!  Applied.

Thanks,

- Mark

More information about the ffmpeg-devel mailing list