[FFmpeg-devel] [PATCH] lavc/vvc: Prevent OOB access in subpic_tiles
Frank Plowman
post at frankplowman.com
Fri Aug 23 14:44:08 EEST 2024
The previous logic relied on the subpicture boundaries coinciding with
the tile boundaries. Per 6.3.1 of H.266 (V3), vertical subpicture
boundaries are always tile boundaries however the same cannot be said
for horizontal subpicture boundaries. Furthermore, it is possible to
construct an illegal bitstream where vertical subpicture boundaries are
not coincident with tile boundaries. In these cases, the condition of
the while loop would never be satisfied resulting in an OOB read on
col_bd/row_bd.
Patch fixes this issue by replacing != with <, thereby not requiring
subpicture boundaries and tile boundaries to be coincident.
Signed-off-by: Frank Plowman <post at frankplowman.com>
---
libavcodec/vvc/ps.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/libavcodec/vvc/ps.c b/libavcodec/vvc/ps.c
index 58496c9fba..ff9a6c7a15 100644
--- a/libavcodec/vvc/ps.c
+++ b/libavcodec/vvc/ps.c
@@ -384,10 +384,10 @@ static void subpic_tiles(int *tile_x, int *tile_y, int *tile_x_end, int *tile_y_
*tile_x = *tile_y = 0;
- while (pps->col_bd[*tile_x] != rx)
+ while (pps->col_bd[*tile_x] < rx)
(*tile_x)++;
- while (pps->row_bd[*tile_y] != ry)
+ while (pps->row_bd[*tile_y] < ry)
(*tile_y)++;
*tile_x_end = (*tile_x);
--
2.46.0
More information about the ffmpeg-devel
mailing list