From ee6d9476a656195460c903bde741e96be4220660 Mon Sep 17 00:00:00 2001 From: Martin Storsjo Date: Thu, 3 Aug 2017 13:59:22 +0300 Subject: Check for heightLayer out of range Alternatively, the bits read in CProgramConfig_ReadHeightExt could be checked right there instead. Fixes: 2802/clusterfuzz-testcase-minimized-6752357788418048 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg --- libMpegTPDec/src/tpdec_asc.cpp | 12 ++++++++++++ 1 file changed, 12 insertions(+) (limited to 'libMpegTPDec') diff --git a/libMpegTPDec/src/tpdec_asc.cpp b/libMpegTPDec/src/tpdec_asc.cpp index 96a1b35..a292bcb 100644 --- a/libMpegTPDec/src/tpdec_asc.cpp +++ b/libMpegTPDec/src/tpdec_asc.cpp @@ -650,6 +650,8 @@ int CProgramConfig_LookupElement( /* search in front channels */ for (i = 0; i < pPce->NumFrontChannelElements; i++) { int heightLayer = pPce->FrontElementHeightInfo[i]; + if (heightLayer >= PC_NUM_HEIGHT_LAYER) + return 0; if (isCpe == pPce->FrontElementIsCpe[i] && pPce->FrontElementTagSelect[i] == tag) { int h, elIdx = ec[heightLayer], chIdx = cc[heightLayer]; AUDIO_CHANNEL_TYPE aChType = (AUDIO_CHANNEL_TYPE)((heightLayer<<4) | ACT_FRONT); @@ -704,6 +706,8 @@ int CProgramConfig_LookupElement( /* search in side channels */ for (i = 0; i < pPce->NumSideChannelElements; i++) { int heightLayer = pPce->SideElementHeightInfo[i]; + if (heightLayer >= PC_NUM_HEIGHT_LAYER) + return 0; if (isCpe == pPce->SideElementIsCpe[i] && pPce->SideElementTagSelect[i] == tag) { int h, elIdx = ec[heightLayer], chIdx = cc[heightLayer]; AUDIO_CHANNEL_TYPE aChType = (AUDIO_CHANNEL_TYPE)((heightLayer<<4) | ACT_SIDE); @@ -758,6 +762,8 @@ int CProgramConfig_LookupElement( /* search in back channels */ for (i = 0; i < pPce->NumBackChannelElements; i++) { int heightLayer = pPce->BackElementHeightInfo[i]; + if (heightLayer >= PC_NUM_HEIGHT_LAYER) + return 0; if (isCpe == pPce->BackElementIsCpe[i] && pPce->BackElementTagSelect[i] == tag) { int h, elIdx = ec[heightLayer], chIdx = cc[heightLayer]; AUDIO_CHANNEL_TYPE aChType = (AUDIO_CHANNEL_TYPE)((heightLayer<<4) | ACT_BACK); @@ -817,18 +823,24 @@ int CProgramConfig_LookupElement( Start with counting the front channels/elements at normal height */ for (i = 0; i < pPce->NumFrontChannelElements; i+=1) { int heightLayer = pPce->FrontElementHeightInfo[i]; + if (heightLayer >= PC_NUM_HEIGHT_LAYER) + return 0; ec[heightLayer] += 1; cc[heightLayer] += (pPce->FrontElementIsCpe[i]) ? 2 : 1; } /* Count side channels/elements at normal height */ for (i = 0; i < pPce->NumSideChannelElements; i+=1) { int heightLayer = pPce->SideElementHeightInfo[i]; + if (heightLayer >= PC_NUM_HEIGHT_LAYER) + return 0; ec[heightLayer] += 1; cc[heightLayer] += (pPce->SideElementIsCpe[i]) ? 2 : 1; } /* Count back channels/elements at normal height */ for (i = 0; i < pPce->NumBackChannelElements; i+=1) { int heightLayer = pPce->BackElementHeightInfo[i]; + if (heightLayer >= PC_NUM_HEIGHT_LAYER) + return 0; ec[heightLayer] += 1; cc[heightLayer] += (pPce->BackElementIsCpe[i]) ? 2 : 1; } -- cgit v1.2.3 From 1244b257ee7ec7d56f021a5c2e39e2c04881a148 Mon Sep 17 00:00:00 2001 From: Martin Storsjo Date: Tue, 15 Aug 2017 16:36:05 +0300 Subject: Always feed more input data when possible for ADTS This fixes cases where an ADTS header could set numberOfRawDataBlocks to a number larger than 1, which would lead to transportDec_FillData not feeding any more data, even though the input buffer was depleted. Fixes: 3014/clusterfuzz-testcase-5425740193464320 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg --- libMpegTPDec/src/tpdec_lib.cpp | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) (limited to 'libMpegTPDec') diff --git a/libMpegTPDec/src/tpdec_lib.cpp b/libMpegTPDec/src/tpdec_lib.cpp index 24f755b..09f0703 100644 --- a/libMpegTPDec/src/tpdec_lib.cpp +++ b/libMpegTPDec/src/tpdec_lib.cpp @@ -342,9 +342,7 @@ TRANSPORTDEC_ERROR transportDec_FillData( } } else { /* ... else feed bitbuffer with new stream data (append). */ - if (hTp->numberOfRawDataBlocks <= 0) { - FDKfeedBuffer (hBs, pBuffer, bufferSize, pBytesValid) ; - } + FDKfeedBuffer (hBs, pBuffer, bufferSize, pBytesValid); } return TRANSPORTDEC_OK; -- cgit v1.2.3 From a3d11689433a046ad57add8ea22dedceb2fe722d Mon Sep 17 00:00:00 2001 From: Martin Storsjo Date: Fri, 18 Aug 2017 22:37:30 +0300 Subject: Adjust the fix for infinite loops with a drained ADTS stream This should have less risk of causing other issues. --- libMpegTPDec/src/tpdec_lib.cpp | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'libMpegTPDec') diff --git a/libMpegTPDec/src/tpdec_lib.cpp b/libMpegTPDec/src/tpdec_lib.cpp index 09f0703..5760752 100644 --- a/libMpegTPDec/src/tpdec_lib.cpp +++ b/libMpegTPDec/src/tpdec_lib.cpp @@ -342,7 +342,9 @@ TRANSPORTDEC_ERROR transportDec_FillData( } } else { /* ... else feed bitbuffer with new stream data (append). */ - FDKfeedBuffer (hBs, pBuffer, bufferSize, pBytesValid); + if ((hTp->numberOfRawDataBlocks <= 0) || (FDKgetValidBits(hBs)==0)) { + FDKfeedBuffer (hBs, pBuffer, bufferSize, pBytesValid) ; + } } return TRANSPORTDEC_OK; -- cgit v1.2.3 From e2e35b82738dc9d5e5229477d49d557cadad4dc7 Mon Sep 17 00:00:00 2001 From: Doug Benedict Date: Wed, 20 Sep 2017 14:30:42 -0700 Subject: Make sure there are enough bits when reading ADTS header. --- libMpegTPDec/src/tpdec_adts.cpp | 3 +++ 1 file changed, 3 insertions(+) (limited to 'libMpegTPDec') diff --git a/libMpegTPDec/src/tpdec_adts.cpp b/libMpegTPDec/src/tpdec_adts.cpp index c455681..934fbc8 100644 --- a/libMpegTPDec/src/tpdec_adts.cpp +++ b/libMpegTPDec/src/tpdec_adts.cpp @@ -185,6 +185,9 @@ TRANSPORTDEC_ERROR adtsRead_DecodeHeader( #endif valBits = FDKgetValidBits(hBs); + if (valBits < ADTS_HEADERLENGTH) { + return TRANSPORTDEC_NOT_ENOUGH_BITS; + } /* adts_fixed_header */ bs.mpeg_id = FDKreadBits(hBs, Adts_Length_Id); -- cgit v1.2.3