[FFmpeg-devel] [PATCH 1/2] avcodec/hevcdec: check ff_init_cabac_decoder() for failure
Michael Niedermayer
michael at niedermayer.cc
Sat Jun 24 15:46:17 EEST 2017
Fixes: runtime error: left shift of 1965559808 by 4 places cannot be represented in type 'int'
Fixes: 2333/clusterfuzz-testcase-minimized-5223935677300736
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
---
libavcodec/hevc_cabac.c | 25 +++++++++++++++++--------
libavcodec/hevcdec.c | 26 +++++++++++++++++++-------
libavcodec/hevcdec.h | 2 +-
3 files changed, 37 insertions(+), 16 deletions(-)
diff --git a/libavcodec/hevc_cabac.c b/libavcodec/hevc_cabac.c
index 3fe228d249..4c14e77bcd 100644
--- a/libavcodec/hevc_cabac.c
+++ b/libavcodec/hevc_cabac.c
@@ -467,12 +467,12 @@ static void cabac_reinit(HEVCLocalContext *lc)
skip_bytes(&lc->cc, 0);
}
-static void cabac_init_decoder(HEVCContext *s)
+static int cabac_init_decoder(HEVCContext *s)
{
GetBitContext *gb = &s->HEVClc->gb;
skip_bits(gb, 1);
align_get_bits(gb);
- ff_init_cabac_decoder(&s->HEVClc->cc,
+ return ff_init_cabac_decoder(&s->HEVClc->cc,
gb->buffer + get_bits_count(gb) / 8,
(get_bits_left(gb) + 7) / 8);
}
@@ -501,10 +501,12 @@ static void cabac_init_state(HEVCContext *s)
s->HEVClc->stat_coeff[i] = 0;
}
-void ff_hevc_cabac_init(HEVCContext *s, int ctb_addr_ts)
+int ff_hevc_cabac_init(HEVCContext *s, int ctb_addr_ts)
{
if (ctb_addr_ts == s->ps.pps->ctb_addr_rs_to_ts[s->sh.slice_ctb_addr_rs]) {
- cabac_init_decoder(s);
+ int ret = cabac_init_decoder(s);
+ if (ret < 0)
+ return ret;
if (s->sh.dependent_slice_segment_flag == 0 ||
(s->ps.pps->tiles_enabled_flag &&
s->ps.pps->tile_id[ctb_addr_ts] != s->ps.pps->tile_id[ctb_addr_ts - 1]))
@@ -524,8 +526,11 @@ void ff_hevc_cabac_init(HEVCContext *s, int ctb_addr_ts)
s->ps.pps->tile_id[ctb_addr_ts] != s->ps.pps->tile_id[ctb_addr_ts - 1]) {
if (s->threads_number == 1)
cabac_reinit(s->HEVClc);
- else
- cabac_init_decoder(s);
+ else {
+ int ret = cabac_init_decoder(s);
+ if (ret < 0)
+ return ret;
+ }
cabac_init_state(s);
}
if (s->ps.pps->entropy_coding_sync_enabled_flag) {
@@ -533,8 +538,11 @@ void ff_hevc_cabac_init(HEVCContext *s, int ctb_addr_ts)
get_cabac_terminate(&s->HEVClc->cc);
if (s->threads_number == 1)
cabac_reinit(s->HEVClc);
- else
- cabac_init_decoder(s);
+ else {
+ int ret = cabac_init_decoder(s);
+ if (ret < 0)
+ return ret;
+ }
if (s->ps.sps->ctb_width == 1)
cabac_init_state(s);
@@ -543,6 +551,7 @@ void ff_hevc_cabac_init(HEVCContext *s, int ctb_addr_ts)
}
}
}
+ return 0;
}
#define GET_CABAC(ctx) get_cabac(&s->HEVClc->cc, &s->HEVClc->cabac_state[ctx])
diff --git a/libavcodec/hevcdec.c b/libavcodec/hevcdec.c
index 0c478029c9..83130fc48f 100644
--- a/libavcodec/hevcdec.c
+++ b/libavcodec/hevcdec.c
@@ -2337,6 +2337,7 @@ static int hls_decode_entry(AVCodecContext *avctxt, void *isFilterThread)
int x_ctb = 0;
int y_ctb = 0;
int ctb_addr_ts = s->ps.pps->ctb_addr_rs_to_ts[s->sh.slice_ctb_addr_rs];
+ int ret;
if (!ctb_addr_ts && s->sh.dependent_slice_segment_flag) {
av_log(s->avctx, AV_LOG_ERROR, "Impossible initial tile.\n");
@@ -2358,7 +2359,11 @@ static int hls_decode_entry(AVCodecContext *avctxt, void *isFilterThread)
y_ctb = (ctb_addr_rs / ((s->ps.sps->width + ctb_size - 1) >> s->ps.sps->log2_ctb_size)) << s->ps.sps->log2_ctb_size;
hls_decode_neighbour(s, x_ctb, y_ctb, ctb_addr_ts);
- ff_hevc_cabac_init(s, ctb_addr_ts);
+ ret = ff_hevc_cabac_init(s, ctb_addr_ts);
+ if (ret < 0) {
+ s->tab_slice_address[ctb_addr_rs] = -1;
+ return ret;
+ }
hls_sao_param(s, x_ctb >> s->ps.sps->log2_ctb_size, y_ctb >> s->ps.sps->log2_ctb_size);
@@ -2417,7 +2422,9 @@ static int hls_decode_entry_wpp(AVCodecContext *avctxt, void *input_ctb_row, int
if (ret < 0)
return ret;
- ff_init_cabac_decoder(&lc->cc, s->data + s->sh.offset[(ctb_row)-1], s->sh.size[ctb_row - 1]);
+ ret = ff_init_cabac_decoder(&lc->cc, s->data + s->sh.offset[(ctb_row)-1], s->sh.size[ctb_row - 1]);
+ if (ret < 0)
+ goto error;
}
while(more_data && ctb_addr_ts < s->ps.sps->ctb_size) {
@@ -2433,15 +2440,15 @@ static int hls_decode_entry_wpp(AVCodecContext *avctxt, void *input_ctb_row, int
return 0;
}
- ff_hevc_cabac_init(s, ctb_addr_ts);
+ ret = ff_hevc_cabac_init(s, ctb_addr_ts);
+ if (ret < 0)
+ goto error;
hls_sao_param(s, x_ctb >> s->ps.sps->log2_ctb_size, y_ctb >> s->ps.sps->log2_ctb_size);
more_data = hls_coding_quadtree(s, x_ctb, y_ctb, s->ps.sps->log2_ctb_size, 0);
if (more_data < 0) {
- s->tab_slice_address[ctb_addr_rs] = -1;
- atomic_store(&s1->wpp_err, 1);
- ff_thread_report_progress2(s->avctx, ctb_row ,thread, SHIFT_CTB_WPP);
- return more_data;
+ ret = more_data;
+ goto error;
}
ctb_addr_ts++;
@@ -2471,6 +2478,11 @@ static int hls_decode_entry_wpp(AVCodecContext *avctxt, void *input_ctb_row, int
ff_thread_report_progress2(s->avctx, ctb_row ,thread, SHIFT_CTB_WPP);
return 0;
+error:
+ s->tab_slice_address[ctb_addr_rs] = -1;
+ atomic_store(&s1->wpp_err, 1);
+ ff_thread_report_progress2(s->avctx, ctb_row ,thread, SHIFT_CTB_WPP);
+ return ret;
}
static int hls_slice_data_wpp(HEVCContext *s, const H2645NAL *nal)
diff --git a/libavcodec/hevcdec.h b/libavcodec/hevcdec.h
index 695ccfb591..293beb7083 100644
--- a/libavcodec/hevcdec.h
+++ b/libavcodec/hevcdec.h
@@ -508,7 +508,7 @@ int ff_hevc_frame_rps(HEVCContext *s);
int ff_hevc_slice_rpl(HEVCContext *s);
void ff_hevc_save_states(HEVCContext *s, int ctb_addr_ts);
-void ff_hevc_cabac_init(HEVCContext *s, int ctb_addr_ts);
+int ff_hevc_cabac_init(HEVCContext *s, int ctb_addr_ts);
int ff_hevc_sao_merge_flag_decode(HEVCContext *s);
int ff_hevc_sao_type_idx_decode(HEVCContext *s);
int ff_hevc_sao_band_position_decode(HEVCContext *s);
--
2.13.0
More information about the ffmpeg-devel
mailing list