The branch, release/8.0 has been updated
via dd00a614e16a15db0b230dfe45790e913e593695 (commit)
via 046a8293e1665e7d794b3595cb746e5206299ab3 (commit)
via d961a634fbea691d76a2eb31d4b79fd4a7b36271 (commit)
from d8605a6b5549887edcca69c1ba0400fe14e0de3d (commit)
- Log -----------------------------------------------------------------
commit dd00a614e16a15db0b230dfe45790e913e593695
Author: James Almer <[email protected]>
AuthorDate: Thu Oct 9 00:31:57 2025 -0300
Commit: James Almer <[email protected]>
CommitDate: Thu Oct 9 12:15:41 2025 -0300
avcodec/hevc/sei: don't attempt to use stale values in HEVCSEITDRDI
Invalidate the whole struct on SEI reset.
Signed-off-by: James Almer <[email protected]>
(cherry picked from commit 8e01bff774aeacdeb8cc9fb5a6fe8c958bdfa704)
diff --git a/libavcodec/hevc/hevcdec.c b/libavcodec/hevc/hevcdec.c
index f44bda8a92..8a845f54f3 100644
--- a/libavcodec/hevc/hevcdec.c
+++ b/libavcodec/hevc/hevcdec.c
@@ -4106,7 +4106,7 @@ static int hevc_sei_to_context(AVCodecContext *avctx,
HEVCSEI *sei)
{
int ret;
- if (sei->tdrdi.num_ref_displays) {
+ if (sei->tdrdi.present) {
AVBufferRef *buf;
size_t size;
AV3DReferenceDisplaysInfo *tdrdi =
av_tdrdi_alloc(sei->tdrdi.num_ref_displays, &size);
diff --git a/libavcodec/hevc/sei.c b/libavcodec/hevc/sei.c
index e81dfcbff9..5fd4e763b3 100644
--- a/libavcodec/hevc/sei.c
+++ b/libavcodec/hevc/sei.c
@@ -217,6 +217,8 @@ static int
decode_nal_sei_3d_reference_displays_info(HEVCSEITDRDI *s, GetBitCont
}
s->three_dimensional_reference_displays_extension_flag = get_bits1(gb);
+ s->present = 1;
+
return 0;
}
diff --git a/libavcodec/hevc/sei.h b/libavcodec/hevc/sei.h
index c4714bb7c5..d6891d60a6 100644
--- a/libavcodec/hevc/sei.h
+++ b/libavcodec/hevc/sei.h
@@ -93,6 +93,7 @@ typedef struct HEVCSEITDRDI {
uint8_t additional_shift_present_flag[32];
int16_t num_sample_shift[32];
uint8_t three_dimensional_reference_displays_extension_flag;
+ int present;
} HEVCSEITDRDI;
typedef struct HEVCSEIRecoveryPoint {
@@ -126,6 +127,7 @@ int ff_hevc_decode_nal_sei(GetBitContext *gb, void *logctx,
HEVCSEI *s,
*/
static inline void ff_hevc_reset_sei(HEVCSEI *sei)
{
+ sei->tdrdi.present = 0;
ff_h2645_sei_reset(&sei->common);
}
commit 046a8293e1665e7d794b3595cb746e5206299ab3
Author: James Almer <[email protected]>
AuthorDate: Thu Oct 9 00:31:10 2025 -0300
Commit: James Almer <[email protected]>
CommitDate: Thu Oct 9 12:15:41 2025 -0300
avcodec/hevc/sei: prevent storing a potentially bogus num_ref_displays
value in HEVCSEITDRDI
Fixes:
439711052/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-4956250308935680
Fixes: out of array access
Found-by: continuous fuzzing process
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: James Almer <[email protected]>
(cherry picked from commit d448d6d1a0a4cdc76499c137742fdd8b30b9e7de)
diff --git a/libavcodec/hevc/sei.c b/libavcodec/hevc/sei.c
index b8e98cde89..e81dfcbff9 100644
--- a/libavcodec/hevc/sei.c
+++ b/libavcodec/hevc/sei.c
@@ -167,6 +167,8 @@ static int decode_nal_sei_timecode(HEVCSEITimeCode *s,
GetBitContext *gb)
static int decode_nal_sei_3d_reference_displays_info(HEVCSEITDRDI *s,
GetBitContext *gb)
{
+ unsigned num_ref_displays;
+
s->prec_ref_display_width = get_ue_golomb(gb);
if (s->prec_ref_display_width > 31)
return AVERROR_INVALIDDATA;
@@ -176,10 +178,10 @@ static int
decode_nal_sei_3d_reference_displays_info(HEVCSEITDRDI *s, GetBitCont
if (s->prec_ref_viewing_dist > 31)
return AVERROR_INVALIDDATA;
}
- s->num_ref_displays = get_ue_golomb(gb);
- if (s->num_ref_displays > 31)
+ num_ref_displays = get_ue_golomb(gb);
+ if (num_ref_displays > 31)
return AVERROR_INVALIDDATA;
- s->num_ref_displays += 1;
+ s->num_ref_displays = num_ref_displays + 1;
for (int i = 0; i < s->num_ref_displays; i++) {
int length;
commit d961a634fbea691d76a2eb31d4b79fd4a7b36271
Author: James Almer <[email protected]>
AuthorDate: Tue Oct 7 15:39:34 2025 -0300
Commit: James Almer <[email protected]>
CommitDate: Thu Oct 9 12:15:41 2025 -0300
avcodec/hevc/refs: don't unconditionally discard non-IRAP frames if no IRAP
frame was seen before
Should fix issue #20661
Signed-off-by: James Almer <[email protected]>
(cherry picked from commit 4377affc28d92f759d1de15ac68ce07b1aa48810)
diff --git a/libavcodec/hevc/refs.c b/libavcodec/hevc/refs.c
index ab2e075af0..15f37bfcd8 100644
--- a/libavcodec/hevc/refs.c
+++ b/libavcodec/hevc/refs.c
@@ -235,6 +235,7 @@ int ff_hevc_set_new_ref(HEVCContext *s, HEVCLayerContext
*l, int poc)
s->layers[0].cur_frame - s->layers[0].DPB : -1;
no_output = !IS_IRAP(s) && (s->poc < s->recovery_poc) &&
+ HEVC_IS_RECOVERING(s) &&
!(s->avctx->flags & AV_CODEC_FLAG_OUTPUT_CORRUPT) &&
!(s->avctx->flags2 & AV_CODEC_FLAG2_SHOW_ALL);
if (s->sh.pic_output_flag && !no_output)
-----------------------------------------------------------------------
Summary of changes:
libavcodec/hevc/hevcdec.c | 2 +-
libavcodec/hevc/refs.c | 1 +
libavcodec/hevc/sei.c | 10 +++++++---
libavcodec/hevc/sei.h | 2 ++
4 files changed, 11 insertions(+), 4 deletions(-)
hooks/post-receive
--
_______________________________________________
ffmpeg-cvslog mailing list -- [email protected]
To unsubscribe send an email to [email protected]
