[FFmpeg-devel] [PATCH] lavc/vvc: Prevent OOB access in subpic_tiles

Nuo Mi nuomi2021 at gmail.com
Sat Aug 24 06:40:10 EEST 2024 

Hi Frank,
thank you for the patch
On Fri, Aug 23, 2024 at 7:45 PM Frank Plowman <post at frankplowman.com> wrote:

> The previous logic relied on the subpicture boundaries coinciding with
> the tile boundaries.  Per 6.3.1 of H.266 (V3), vertical subpicture
> boundaries are always tile boundaries however the same cannot be said
> for horizontal subpicture boundaries.

>From the spec:
"One or both of the following conditions shall be fulfilled for each
subpicture and tile:

– All CTUs in a subpicture belong to the same tile.

– All CTUs in a tile belong to the same subpicture."

This suggests that the subpicture boundary coincides with a tile boundary,
right?

Furthermore, it is possible to
> construct an illegal bitstream where vertical subpicture boundaries are
> not coincident with tile boundaries.  In these cases, the condition of
> the while loop would never be satisfied resulting in an OOB read on
> col_bd/row_bd.
>
Can we implement early checks to reject invalid streams?
If the picture boundaries are incorrect, it indicates a serious error in
the bitstream.

>
> Patch fixes this issue by replacing != with <, thereby not requiring
> subpicture boundaries and tile boundaries to be coincident.
>
> Signed-off-by: Frank Plowman <post at frankplowman.com>
> ---
>  libavcodec/vvc/ps.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/libavcodec/vvc/ps.c b/libavcodec/vvc/ps.c
> index 58496c9fba..ff9a6c7a15 100644
> --- a/libavcodec/vvc/ps.c
> +++ b/libavcodec/vvc/ps.c
> @@ -384,10 +384,10 @@ static void subpic_tiles(int *tile_x, int *tile_y,
> int *tile_x_end, int *tile_y_
>
>      *tile_x = *tile_y = 0;
>
> -    while (pps->col_bd[*tile_x] != rx)
> +    while (pps->col_bd[*tile_x] < rx)
>          (*tile_x)++;
>
> -    while (pps->row_bd[*tile_y] != ry)
> +    while (pps->row_bd[*tile_y] < ry)
>          (*tile_y)++;
>
>      *tile_x_end = (*tile_x);
> --
> 2.46.0
>
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel at ffmpeg.org
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
>
> To unsubscribe, visit link above, or email
> ffmpeg-devel-request at ffmpeg.org with subject "unsubscribe".
>

More information about the ffmpeg-devel mailing list