cbs_sei: Detect payload overflows when reading SEI messages

The top-level GetBitContext is sized for the whole NAL unit, so it fails to detect overflows where a payload continues into the following message. To fix that, we make a new context on the stack for reading each payload. Fixes: 29892/clusterfuzz-testcase-minimized-ffmpeg_BSF_H264_REDUNDANT_PPS_fuzzer-6310830956216320 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Tested-by: Michael Niedermayer <michael@niedermayer.cc>
2021-02-02 20:58:11 +00:00 · 2021-02-02 20:58:11 +00:00 · 2c96e6cb95
parent b128b0ce22
commit 2c96e6cb95
1 changed files with 16 additions and 1 deletions
--- a/libavcodec/cbs_sei_syntax_template.c
+++ b/libavcodec/cbs_sei_syntax_template.c
@ -238,6 +238,7 @@ static int FUNC(message_list)(CodedBitstreamContext *ctx, RWContext *rw,
        uint32_t payload_type = 0;
        uint32_t payload_size = 0;
        uint32_t tmp;
+        GetBitContext payload_gbc;

        while (show_bits(rw, 8) == 0xff) {
            fixed(8, ff_byte, 0xff);
@ -253,13 +254,27 @@ static int FUNC(message_list)(CodedBitstreamContext *ctx, RWContext *rw,
        xu(8, last_payload_size_byte, tmp, 0, 254, 0);
        payload_size += tmp;

+        // There must be space remaining for both the payload and
+        // the trailing bits on the SEI NAL unit.
+        if (payload_size + 1 > get_bits_left(rw) / 8) {
+            av_log(ctx->log_ctx, AV_LOG_ERROR,
+                   "Invalid SEI message: payload_size too large "
+                   "(%"PRIu32" bytes).\n", payload_size);
+            return AVERROR_INVALIDDATA;
+        }
+        CHECK(init_get_bits(&payload_gbc, rw->buffer,
+                            get_bits_count(rw) + 8 * payload_size));
+        skip_bits_long(&payload_gbc, get_bits_count(rw));
+
        CHECK(ff_cbs_sei_list_add(current));
        message = &current->messages[k];

        message->payload_type = payload_type;
        message->payload_size = payload_size;

-        CHECK(FUNC(message)(ctx, rw, message));
+        CHECK(FUNC(message)(ctx, &payload_gbc, message));
+
+        skip_bits_long(rw, 8 * payload_size);

        if (!cbs_h2645_read_more_rbsp_data(rw))
            break;