mollyim/webrtc
1
0
Fork 0
mirror of https://github.com/mollyim/webrtc.git synced 2025-05-13 05:40:42 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Fix integer overflow in h264 pps parser

Browse source 
Bug: chromium:1250730
Change-Id: Idda8e92262af7c3190698e1fb5ba001f6de55c47
Reviewed-on: https://webrtc-review.googlesource.com/c/src/+/232327
Reviewed-by: Erik Språng <sprang@webrtc.org>
Reviewed-by: Stefan Holmer <stefan@webrtc.org>
Commit-Queue: Danil Chapovalov <danilchap@webrtc.org>
Cr-Commit-Position: refs/heads/main@{#35036}
This commit is contained in:
Danil Chapovalov 2021-09-17 18:14:20 +02:00 committed by WebRTC LUCI CQ
parent 3852698ad9
commit 057f90b7cb
3 changed files with 8 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
common_video/h264/pps_parser.cc
View file

@ -11,6 +11,7 @@
#include "common_video/h264/pps_parser.h"
#include <cstdint>
#include <limits>
#include <vector>
#include "absl/numeric/bits.h"
@ -116,7 +117,12 @@ absl::optional<PpsParser::PpsState> PpsParser::ParseInternal(
// slice_group_id: array of size pic_size_in_map_units, each element
// is represented by ceil(log2(num_slice_groups_minus1 + 1)) bits.
reader.ConsumeBits(slice_group_id_bits * pic_size_in_map_units);
int64_t bits_to_consume =
int64_t{slice_group_id_bits} * pic_size_in_map_units;
if (!reader.Ok() || bits_to_consume > std::numeric_limits<int>::max()) {
return absl::nullopt;
}
reader.ConsumeBits(bits_to_consume);
}
}
// num_ref_idx_l0_default_active_minus1: ue(v)

1
test/fuzzers/BUILD.gn
View file

@ -78,6 +78,7 @@ template("webrtc_fuzzer_test") {
webrtc_fuzzer_test("h264_depacketizer_fuzzer") {
sources = [ "h264_depacketizer_fuzzer.cc" ]
deps = [ "../../modules/rtp_rtcp" ]
seed_corpus = "corpora/h264-depacketizer-fuzzer-corpus"
}
webrtc_fuzzer_test("vp8_depacketizer_fuzzer") {

BIN
test/fuzzers/corpora/h264-depacketizer-fuzzer-corpus/h264-0 Normal file
View file

Binary file not shown.