From dcac6717fb9714538a658ae5145efed51a615843 Mon Sep 17 00:00:00 2001 From: Ashwin Natesan Date: Mon, 26 Feb 2024 14:02:06 +0530 Subject: [PATCH] mvcdec: Heap overflow in 'ih264d_read_coeff4x4_cabac' In some erroneous fuzzer bistreams, the slice data requires more parsing than what was implied by the distance between successive start codes. The primary culprit is the NEXTBITS macro which requires reading 4 additional bytes of the bitstream buffer. To alleviate this, 4 bytes per 4x4 TU have been additionally allocated to the bitstream buffer. Bug = ossfuzz:66989 Test: mvc_dec_fuzzer --- decoder/mvc/imvcd_api.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/decoder/mvc/imvcd_api.c b/decoder/mvc/imvcd_api.c index 1026fc8..4b1876b 100644 --- a/decoder/mvc/imvcd_api.c +++ b/decoder/mvc/imvcd_api.c @@ -733,7 +733,13 @@ static IV_API_CALL_STATUS_T imvcd_view_decode(iv_obj_t *ps_dec_hdl, imvcd_video_ if(i4_nalu_length) { - UWORD32 u4_nalu_buf_size = ((UWORD32) i4_nalu_length) + 8; + /* In some erroneous fuzzer bistreams, the slice data requires more + parsing than what was implied by the distance between successive + start codes.The primary culprit is the NEXTBITS macro which requires + reading 4 additional bytes of the bitstream buffer.To alleviate + this, 4 bytes per 4x4 TU have been additionally allocated to the + bitstream buffer. */ + UWORD32 u4_nalu_buf_size = ((UWORD32) i4_nalu_length) + 8 + 4 * 16; if(u4_nalu_buf_size > u4_bitstream_buf_size) {