[FFmpeg-cvslog] lavc/vvc: Prevent OOB access in subpic_tiles
Frank Plowman
git at videolan.org
Sat Aug 31 10:11:41 EEST 2024
ffmpeg | branch: master | Frank Plowman <post at frankplowman.com> | Fri Aug 23 12:44:08 2024 +0100| [01701bdcd536d59ec9e21d9a0bb70e74dd760167] | committer: Nuo Mi
lavc/vvc: Prevent OOB access in subpic_tiles
The previous logic relied on the subpicture boundaries coinciding with
the tile boundaries. Per 6.3.1 of H.266 (V3), vertical subpicture
boundaries are always tile boundaries however the same cannot be said
for horizontal subpicture boundaries. Furthermore, it is possible to
construct an illegal bitstream where vertical subpicture boundaries are
not coincident with tile boundaries. In these cases, the condition of
the while loop would never be satisfied resulting in an OOB read on
col_bd/row_bd.
Patch fixes this issue by replacing != with <, thereby not requiring
subpicture boundaries and tile boundaries to be coincident.
Signed-off-by: Frank Plowman <post at frankplowman.com>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=01701bdcd536d59ec9e21d9a0bb70e74dd760167
---
libavcodec/vvc/ps.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/libavcodec/vvc/ps.c b/libavcodec/vvc/ps.c
index 58496c9fba..ff9a6c7a15 100644
--- a/libavcodec/vvc/ps.c
+++ b/libavcodec/vvc/ps.c
@@ -384,10 +384,10 @@ static void subpic_tiles(int *tile_x, int *tile_y, int *tile_x_end, int *tile_y_
*tile_x = *tile_y = 0;
- while (pps->col_bd[*tile_x] != rx)
+ while (pps->col_bd[*tile_x] < rx)
(*tile_x)++;
- while (pps->row_bd[*tile_y] != ry)
+ while (pps->row_bd[*tile_y] < ry)
(*tile_y)++;
*tile_x_end = (*tile_x);
More information about the ffmpeg-cvslog
mailing list