sei: don't attempt to use stale values in HEVCSEITimeCode

ffmpeg-git--- via ffmpeg-cvslog Sat, 18 Oct 2025 11:43:29 -0700

The branch, master has been updated
       via  41c168444e6a62aeef1e2f08378064316006e822 (commit)
       via  8e01bff774aeacdeb8cc9fb5a6fe8c958bdfa704 (commit)
       via  d448d6d1a0a4cdc76499c137742fdd8b30b9e7de (commit)
      from  a934d48440dbeca60b1ca701ce46cd7f3653021c (commit)



- Log -----------------------------------------------------------------
commit 41c168444e6a62aeef1e2f08378064316006e822
Author:     James Almer <[email protected]>
AuthorDate: Thu Oct 9 00:32:39 2025 -0300
Commit:     James Almer <[email protected]>
CommitDate: Thu Oct 9 12:09:35 2025 -0300

    avcodec/hevc/sei: don't attempt to use stale values in HEVCSEITimeCode
    
    Invalidate the whole struct on SEI reset.
    
    Signed-off-by: James Almer <[email protected]>

diff --git a/libavcodec/hevc/sei.h b/libavcodec/hevc/sei.h
index d6891d60a6..2fcd0e8d57 100644
--- a/libavcodec/hevc/sei.h
+++ b/libavcodec/hevc/sei.h
@@ -127,6 +127,7 @@ int ff_hevc_decode_nal_sei(GetBitContext *gb, void *logctx, 
HEVCSEI *s,
  */
 static inline void ff_hevc_reset_sei(HEVCSEI *sei)
 {
+    sei->timecode.present = 0;
     sei->tdrdi.present = 0;
     ff_h2645_sei_reset(&sei->common);
 }

commit 8e01bff774aeacdeb8cc9fb5a6fe8c958bdfa704
Author:     James Almer <[email protected]>
AuthorDate: Thu Oct 9 00:31:57 2025 -0300
Commit:     James Almer <[email protected]>
CommitDate: Thu Oct 9 12:09:35 2025 -0300

    avcodec/hevc/sei: don't attempt to use stale values in HEVCSEITDRDI
    
    Invalidate the whole struct on SEI reset.
    
    Signed-off-by: James Almer <[email protected]>

diff --git a/libavcodec/hevc/hevcdec.c b/libavcodec/hevc/hevcdec.c
index b27d1d79e8..8d432a9a1f 100644
--- a/libavcodec/hevc/hevcdec.c
+++ b/libavcodec/hevc/hevcdec.c
@@ -4106,7 +4106,7 @@ static int hevc_sei_to_context(AVCodecContext *avctx, 
HEVCSEI *sei)
 {
     int ret;
 
-    if (sei->tdrdi.num_ref_displays) {
+    if (sei->tdrdi.present) {
         AVBufferRef *buf;
         size_t size;
         AV3DReferenceDisplaysInfo *tdrdi = 
av_tdrdi_alloc(sei->tdrdi.num_ref_displays, &size);
diff --git a/libavcodec/hevc/sei.c b/libavcodec/hevc/sei.c
index e81dfcbff9..5fd4e763b3 100644
--- a/libavcodec/hevc/sei.c
+++ b/libavcodec/hevc/sei.c
@@ -217,6 +217,8 @@ static int 
decode_nal_sei_3d_reference_displays_info(HEVCSEITDRDI *s, GetBitCont
     }
     s->three_dimensional_reference_displays_extension_flag = get_bits1(gb);
 
+    s->present = 1;
+
     return 0;
 }
 
diff --git a/libavcodec/hevc/sei.h b/libavcodec/hevc/sei.h
index c4714bb7c5..d6891d60a6 100644
--- a/libavcodec/hevc/sei.h
+++ b/libavcodec/hevc/sei.h
@@ -93,6 +93,7 @@ typedef struct HEVCSEITDRDI {
     uint8_t additional_shift_present_flag[32];
     int16_t num_sample_shift[32];
     uint8_t three_dimensional_reference_displays_extension_flag;
+    int present;
 } HEVCSEITDRDI;
 
 typedef struct HEVCSEIRecoveryPoint {
@@ -126,6 +127,7 @@ int ff_hevc_decode_nal_sei(GetBitContext *gb, void *logctx, 
HEVCSEI *s,
  */
 static inline void ff_hevc_reset_sei(HEVCSEI *sei)
 {
+    sei->tdrdi.present = 0;
     ff_h2645_sei_reset(&sei->common);
 }
 

commit d448d6d1a0a4cdc76499c137742fdd8b30b9e7de
Author:     James Almer <[email protected]>
AuthorDate: Thu Oct 9 00:31:10 2025 -0300
Commit:     James Almer <[email protected]>
CommitDate: Thu Oct 9 12:09:35 2025 -0300

    avcodec/hevc/sei: prevent storing a potentially bogus num_ref_displays 
value in HEVCSEITDRDI
    
    Fixes: 
439711052/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-4956250308935680
    Fixes: out of array access
    
    Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
    Signed-off-by: James Almer <[email protected]>

diff --git a/libavcodec/hevc/sei.c b/libavcodec/hevc/sei.c
index b8e98cde89..e81dfcbff9 100644
--- a/libavcodec/hevc/sei.c
+++ b/libavcodec/hevc/sei.c
@@ -167,6 +167,8 @@ static int decode_nal_sei_timecode(HEVCSEITimeCode *s, 
GetBitContext *gb)
 
 static int decode_nal_sei_3d_reference_displays_info(HEVCSEITDRDI *s, 
GetBitContext *gb)
 {
+    unsigned num_ref_displays;
+
     s->prec_ref_display_width = get_ue_golomb(gb);
     if (s->prec_ref_display_width > 31)
         return AVERROR_INVALIDDATA;
@@ -176,10 +178,10 @@ static int 
decode_nal_sei_3d_reference_displays_info(HEVCSEITDRDI *s, GetBitCont
         if (s->prec_ref_viewing_dist > 31)
             return AVERROR_INVALIDDATA;
     }
-    s->num_ref_displays = get_ue_golomb(gb);
-    if (s->num_ref_displays > 31)
+    num_ref_displays = get_ue_golomb(gb);
+    if (num_ref_displays > 31)
         return AVERROR_INVALIDDATA;
-    s->num_ref_displays += 1;
+    s->num_ref_displays = num_ref_displays + 1;
 
     for (int i = 0; i < s->num_ref_displays; i++) {
         int length;

-----------------------------------------------------------------------

Summary of changes:
 libavcodec/hevc/hevcdec.c |  2 +-
 libavcodec/hevc/sei.c     | 10 +++++++---
 libavcodec/hevc/sei.h     |  3 +++
 3 files changed, 11 insertions(+), 4 deletions(-)


hooks/post-receive
-- 

_______________________________________________
ffmpeg-cvslog mailing list -- [email protected]
To unsubscribe send an email to [email protected]

[FFmpeg-cvslog] [ffmpeg] branch master updated. 41c168444e avcodec/hevc/sei: don't attempt to use stale values in HEVCSEITimeCode

Reply via email to