1
0
mirror of https://github.com/FFmpeg/FFmpeg.git synced 2024-11-26 19:01:44 +02:00

avcodec/evc_parse: Check tid

The check is based on not infinite looping. It is likely
a more strict check can be done

Fixes: Infinite loop
Fixes: 62473/clusterfuzz-testcase-minimized-ffmpeg_BSF_EVC_FRAME_MERGE_fuzzer-5719883750703104
Fixes: 62765/clusterfuzz-testcase-minimized-ffmpeg_dem_EVC_fuzzer-6448531252314112
Fixes: 63378/clusterfuzz-testcase-minimized-ffmpeg_dem_MPEGPS_fuzzer-6504993844494336

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: "Dawid Kozinski/Multimedia (PLT) /SRPOL/Staff Engineer/Samsung Electronics" <d.kozinski@samsung.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
Michael Niedermayer 2023-10-05 00:19:53 +02:00
parent d35eecd24f
commit 68cc1744db
No known key found for this signature in database
GPG Key ID: B18E8928B3948D64

View File

@ -174,6 +174,9 @@ int ff_evc_derive_poc(const EVCParamSets *ps, const EVCParserSliceHeader *sh,
} else { } else {
int SubGopLength = 1 << sps->log2_sub_gop_length; int SubGopLength = 1 << sps->log2_sub_gop_length;
if (tid > (SubGopLength > 1 ? 1 + av_log2(SubGopLength - 1) : 0))
return AVERROR_INVALIDDATA;
if (tid == 0) { if (tid == 0) {
poc->PicOrderCntVal = poc->prevPicOrderCntVal + SubGopLength; poc->PicOrderCntVal = poc->prevPicOrderCntVal + SubGopLength;
poc->DocOffset = 0; poc->DocOffset = 0;