On Sat, Jan 27, 2024 at 11:13 AM Michael Niedermayer <mich...@niedermayer.cc> wrote:
> From: James Almer <jamr...@gmail.com> > > "When aps_params_type is equal to ALF_APS or SCALING_APS, the value of > aps_adaptation_parameter_set_id shall be > in the range of 0 to 7, inclusive. > When aps_params_type is equal to LMCS_APS, the value of > aps_adaptation_parameter_set_id shall be in the range of 0 > to 3, inclusive." > > Fixes: out of array accesses > Fixes: > 65932/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_VVC_fuzzer-4563412340244480 > > Found-by: continuous fuzzing process > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > Signed-off-by > <https://github.com/google/oss-fuzz/tree/master/projects/ffmpegSigned-off-by>: > Michael Niedermayer <mich...@niedermayer.cc> > --- > libavcodec/cbs_h266_syntax_template.c | 8 +++++++- > 1 file changed, 7 insertions(+), 1 deletion(-) > > diff --git a/libavcodec/cbs_h266_syntax_template.c > b/libavcodec/cbs_h266_syntax_template.c > index 9e479c9c314..21da8195556 100644 > --- a/libavcodec/cbs_h266_syntax_template.c > +++ b/libavcodec/cbs_h266_syntax_template.c > @@ -2457,6 +2457,7 @@ static int > FUNC(scaling_list_data)(CodedBitstreamContext *ctx, RWContext *rw, > static int FUNC(aps)(CodedBitstreamContext *ctx, RWContext *rw, > H266RawAPS *current, int prefix) > { > + int aps_id_max = MAX_UINT_BITS(5); > int err; > > if (prefix) > @@ -2469,7 +2470,12 @@ static int FUNC(aps)(CodedBitstreamContext *ctx, > RWContext *rw, > : VVC_SUFFIX_APS_NUT)); > > ub(3, aps_params_type); > - ub(5, aps_adaptation_parameter_set_id); > + if (current->aps_params_type == VVC_ASP_TYPE_ALF || > + current->aps_params_type == VVC_ASP_TYPE_SCALING) > + aps_id_max = 7; > + else if (current->aps_params_type == VVC_ASP_TYPE_LMCS) > + aps_id_max = 3; > + u(5, aps_adaptation_parameter_set_id, 0, aps_id_max); > flag(aps_chroma_present_flag); > if (current->aps_params_type == VVC_ASP_TYPE_ALF) > CHECK(FUNC(alf_data)(ctx, rw, current)); > -- applied, thanks, James and Michael > > 2.17.1 > > _______________________________________________ > ffmpeg-devel mailing list > ffmpeg-devel@ffmpeg.org > https://ffmpeg.org/mailman/listinfo/ffmpeg-devel > > To unsubscribe, visit link above, or email > ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe". > _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
