mollyim/webrtc
1
0
Fork 0
mirror of https://github.com/mollyim/webrtc.git synced 2025-05-13 05:40:42 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Fix use-of-uninitialized-value and integer-overflow issues reported by chromium fuzz testing

Browse source 
Bug: chromium:1485906,chromium:1486414
Change-Id: Ia976926fb08405c1cb03bbcfde07d2076bd6f4c2
Reviewed-on: https://webrtc-review.googlesource.com/c/src/+/321545
Reviewed-by: Erik Språng <sprang@google.com>
Reviewed-by: Sergey Silkin <ssilkin@webrtc.org>
Commit-Queue: Sergey Silkin <ssilkin@webrtc.org>
Reviewed-by: Erik Språng <sprang@webrtc.org>
Cr-Commit-Position: refs/heads/main@{#40861}
This commit is contained in:
qwu16 2023-09-26 14:23:52 +08:00 committed by WebRTC LUCI CQ
parent 40ed3ff07e
commit 8db8824536
4 changed files with 33 additions and 36 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
common_video/h265/h265_bitstream_parser.cc
View file

@ -138,8 +138,7 @@ H265BitstreamParser::Result H265BitstreamParser::ParseNonParameterSetNalu(
slice_reader.ConsumeBits(1); slice_reader.ConsumeBits(1);
} }
// slice_type: ue(v) // slice_type: ue(v)
uint32_t slice_type = 0; uint32_t slice_type = slice_reader.ReadExponentialGolomb();
slice_type = slice_reader.ReadExponentialGolomb();
IN_RANGE_OR_RETURN(slice_type, 0, 2); IN_RANGE_OR_RETURN(slice_type, 0, 2);
if (pps->output_flag_present_flag) { if (pps->output_flag_present_flag) {
// pic_output_flag: u(1) // pic_output_flag: u(1)
@ -274,7 +273,7 @@ H265BitstreamParser::Result H265BitstreamParser::ParseNonParameterSetNalu(
} }
uint32_t num_pic_total_curr = 0; uint32_t num_pic_total_curr = 0;
uint32_t curr_sps_idx; uint32_t curr_sps_idx = 0;
if (short_term_ref_pic_set_sps_flag) { if (short_term_ref_pic_set_sps_flag) {
curr_sps_idx = short_term_ref_pic_set_idx; curr_sps_idx = short_term_ref_pic_set_idx;
} else { } else {

6
common_video/h265/h265_common.h
View file

@ -64,11 +64,11 @@ enum SliceType : uint8_t { kB = 0, kP = 1, kI = 2 };
struct NaluIndex { struct NaluIndex {
// Start index of NALU, including start sequence. // Start index of NALU, including start sequence.
size_t start_offset; size_t start_offset = 0;
// Start index of NALU payload, typically type header. // Start index of NALU payload, typically type header.
size_t payload_start_offset; size_t payload_start_offset = 0;
// Length of NALU payload, in bytes, counting from payload_start_offset. // Length of NALU payload, in bytes, counting from payload_start_offset.
size_t payload_size; size_t payload_size = 0;
}; };
// Returns a vector of the NALU indices in the given buffer. // Returns a vector of the NALU indices in the given buffer.

28
common_video/h265/h265_sps_parser.cc
View file

@ -111,7 +111,7 @@ absl::optional<H265SpsParser::SpsState> H265SpsParser::ParseSps(
} }
bool H265SpsParser::ParseScalingListData(BitstreamReader& reader) { bool H265SpsParser::ParseScalingListData(BitstreamReader& reader) {
int32_t scaling_list_dc_coef_minus8[kMaxNumSizeIds][kMaxNumMatrixIds]; int32_t scaling_list_dc_coef_minus8[kMaxNumSizeIds][kMaxNumMatrixIds] = {};
for (int size_id = 0; size_id < kMaxNumSizeIds; size_id++) { for (int size_id = 0; size_id < kMaxNumSizeIds; size_id++) {
for (int matrix_id = 0; matrix_id < kMaxNumMatrixIds; for (int matrix_id = 0; matrix_id < kMaxNumMatrixIds;
matrix_id += (size_id == 3) ? 3 : 1) { matrix_id += (size_id == 3) ? 3 : 1) {
@ -182,8 +182,8 @@ H265SpsParser::ParseShortTermRefPicSet(
short_term_ref_pic_set[ref_rps_idx].num_delta_pocs; short_term_ref_pic_set[ref_rps_idx].num_delta_pocs;
IN_RANGE_OR_RETURN_NULL(num_delta_pocs, 0, kMaxShortTermRefPicSets); IN_RANGE_OR_RETURN_NULL(num_delta_pocs, 0, kMaxShortTermRefPicSets);
const ShortTermRefPicSet& ref_set = short_term_ref_pic_set[ref_rps_idx]; const ShortTermRefPicSet& ref_set = short_term_ref_pic_set[ref_rps_idx];
bool used_by_curr_pic_flag[kMaxShortTermRefPicSets]; bool used_by_curr_pic_flag[kMaxShortTermRefPicSets] = {};
bool use_delta_flag[kMaxShortTermRefPicSets]; bool use_delta_flag[kMaxShortTermRefPicSets] = {};
// 7.4.8 - use_delta_flag defaults to 1 if not present. // 7.4.8 - use_delta_flag defaults to 1 if not present.
std::fill_n(use_delta_flag, kMaxShortTermRefPicSets, true); std::fill_n(use_delta_flag, kMaxShortTermRefPicSets, true);
@ -266,7 +266,7 @@ H265SpsParser::ParseShortTermRefPicSet(
for (uint32_t i = 0; i < st_ref_pic_set.num_negative_pics; i++) { for (uint32_t i = 0; i < st_ref_pic_set.num_negative_pics; i++) {
// delta_poc_s0_minus1: ue(v) // delta_poc_s0_minus1: ue(v)
int delta_poc_s0_minus1; int delta_poc_s0_minus1 = 0;
delta_poc_s0_minus1 = reader.ReadExponentialGolomb(); delta_poc_s0_minus1 = reader.ReadExponentialGolomb();
IN_RANGE_OR_RETURN_NULL(delta_poc_s0_minus1, 0, 0x7FFF); IN_RANGE_OR_RETURN_NULL(delta_poc_s0_minus1, 0, 0x7FFF);
if (i == 0) { if (i == 0) {
@ -281,7 +281,7 @@ H265SpsParser::ParseShortTermRefPicSet(
for (uint32_t i = 0; i < st_ref_pic_set.num_positive_pics; i++) { for (uint32_t i = 0; i < st_ref_pic_set.num_positive_pics; i++) {
// delta_poc_s1_minus1: ue(v) // delta_poc_s1_minus1: ue(v)
int delta_poc_s1_minus1; int delta_poc_s1_minus1 = 0;
delta_poc_s1_minus1 = reader.ReadExponentialGolomb(); delta_poc_s1_minus1 = reader.ReadExponentialGolomb();
IN_RANGE_OR_RETURN_NULL(delta_poc_s1_minus1, 0, 0x7FFF); IN_RANGE_OR_RETURN_NULL(delta_poc_s1_minus1, 0, 0x7FFF);
if (i == 0) { if (i == 0) {
@ -319,10 +319,8 @@ H265SpsParser::ParseProfileTierLevel(bool profile_present,
reader.ConsumeBits(1); reader.ConsumeBits(1);
pf_tier_level.general_profile_idc = reader.ReadBits(5); pf_tier_level.general_profile_idc = reader.ReadBits(5);
IN_RANGE_OR_RETURN_NULL(pf_tier_level.general_profile_idc, 0, 11); IN_RANGE_OR_RETURN_NULL(pf_tier_level.general_profile_idc, 0, 11);
uint16_t general_profile_compatibility_flag_high16; uint16_t general_profile_compatibility_flag_high16 = reader.ReadBits(16);
uint16_t general_profile_compatibility_flag_low16; uint16_t general_profile_compatibility_flag_low16 = reader.ReadBits(16);
general_profile_compatibility_flag_high16 = reader.ReadBits(16);
general_profile_compatibility_flag_low16 = reader.ReadBits(16);
pf_tier_level.general_profile_compatibility_flags = pf_tier_level.general_profile_compatibility_flags =
(general_profile_compatibility_flag_high16 << 16) + (general_profile_compatibility_flag_high16 << 16) +
general_profile_compatibility_flag_low16; general_profile_compatibility_flag_low16;
@ -344,8 +342,8 @@ H265SpsParser::ParseProfileTierLevel(bool profile_present,
reader.ConsumeBits(1); reader.ConsumeBits(1);
} }
pf_tier_level.general_level_idc = reader.ReadBits(8); pf_tier_level.general_level_idc = reader.ReadBits(8);
bool sub_layer_profile_present_flag[8]; bool sub_layer_profile_present_flag[8] = {};
bool sub_layer_level_present_flag[8]; bool sub_layer_level_present_flag[8] = {};
for (int i = 0; i < max_num_sub_layers_minus1; ++i) { for (int i = 0; i < max_num_sub_layers_minus1; ++i) {
sub_layer_profile_present_flag[i] = reader.ReadBits(1); sub_layer_profile_present_flag[i] = reader.ReadBits(1);
sub_layer_level_present_flag[i] = reader.ReadBits(1); sub_layer_level_present_flag[i] = reader.ReadBits(1);
@ -443,7 +441,7 @@ absl::optional<H265SpsParser::SpsState> H265SpsParser::ParseSpsInternal(
// Equation A-2: Calculate max_dpb_size. // Equation A-2: Calculate max_dpb_size.
uint32_t max_luma_ps = GetMaxLumaPs(profile_tier_level->general_level_idc); uint32_t max_luma_ps = GetMaxLumaPs(profile_tier_level->general_level_idc);
uint32_t max_dpb_size; uint32_t max_dpb_size = 0;
uint32_t pic_size_in_samples_y = pic_height_in_luma_samples; uint32_t pic_size_in_samples_y = pic_height_in_luma_samples;
pic_size_in_samples_y *= pic_width_in_luma_samples; pic_size_in_samples_y *= pic_width_in_luma_samples;
size_t max_dpb_pic_buf = size_t max_dpb_pic_buf =
@ -503,7 +501,7 @@ absl::optional<H265SpsParser::SpsState> H265SpsParser::ParseSpsInternal(
uint32_t sps_sub_layer_ordering_info_present_flag = 0; uint32_t sps_sub_layer_ordering_info_present_flag = 0;
// sps_sub_layer_ordering_info_present_flag: u(1) // sps_sub_layer_ordering_info_present_flag: u(1)
sps_sub_layer_ordering_info_present_flag = reader.Read<bool>(); sps_sub_layer_ordering_info_present_flag = reader.Read<bool>();
uint32_t sps_max_num_reorder_pics[kMaxSubLayers]; uint32_t sps_max_num_reorder_pics[kMaxSubLayers] = {};
for (uint32_t i = (sps_sub_layer_ordering_info_present_flag != 0) for (uint32_t i = (sps_sub_layer_ordering_info_present_flag != 0)
? 0 ? 0
: sps_max_sub_layers_minus1; : sps_max_sub_layers_minus1;
@ -552,8 +550,8 @@ absl::optional<H265SpsParser::SpsState> H265SpsParser::ParseSpsInternal(
// log2_min_luma_transform_block_size_minus2: ue(v) // log2_min_luma_transform_block_size_minus2: ue(v)
int log2_min_luma_transform_block_size_minus2 = int log2_min_luma_transform_block_size_minus2 =
reader.ReadExponentialGolomb(); reader.ReadExponentialGolomb();
TRUE_OR_RETURN(log2_min_luma_transform_block_size_minus2 < IN_RANGE_OR_RETURN_NULL(log2_min_luma_transform_block_size_minus2, 0,
min_cb_log2_size_y - 2); min_cb_log2_size_y - 3);
int min_tb_log2_size_y = log2_min_luma_transform_block_size_minus2 + 2; int min_tb_log2_size_y = log2_min_luma_transform_block_size_minus2 + 2;
// log2_diff_max_min_luma_transform_block_size: ue(v) // log2_diff_max_min_luma_transform_block_size: ue(v)
int log2_diff_max_min_luma_transform_block_size = int log2_diff_max_min_luma_transform_block_size =

30
common_video/h265/h265_sps_parser.h
View file

@ -47,29 +47,29 @@ class H265SpsParser {
struct ProfileTierLevel { struct ProfileTierLevel {
ProfileTierLevel(); ProfileTierLevel();
// Syntax elements. // Syntax elements.
int general_profile_idc; int general_profile_idc = 0;
int general_level_idc; // 30x the actual level. int general_level_idc = 0; // 30x the actual level.
uint32_t general_profile_compatibility_flags; uint32_t general_profile_compatibility_flags = 0;
bool general_progressive_source_flag; bool general_progressive_source_flag = false;
bool general_interlaced_source_flag; bool general_interlaced_source_flag = false;
bool general_non_packed_constraint_flag; bool general_non_packed_constraint_flag = false;
bool general_frame_only_constraint_flag; bool general_frame_only_constraint_flag = false;
bool general_one_picture_only_constraint_flag; bool general_one_picture_only_constraint_flag = false;
}; };
struct ShortTermRefPicSet { struct ShortTermRefPicSet {
ShortTermRefPicSet(); ShortTermRefPicSet();
// Syntax elements. // Syntax elements.
uint32_t num_negative_pics; uint32_t num_negative_pics = 0;
uint32_t num_positive_pics; uint32_t num_positive_pics = 0;
uint32_t delta_poc_s0[kMaxShortTermRefPicSets]; uint32_t delta_poc_s0[kMaxShortTermRefPicSets] = {};
uint32_t used_by_curr_pic_s0[kMaxShortTermRefPicSets]; uint32_t used_by_curr_pic_s0[kMaxShortTermRefPicSets] = {};
uint32_t delta_poc_s1[kMaxShortTermRefPicSets]; uint32_t delta_poc_s1[kMaxShortTermRefPicSets] = {};
uint32_t used_by_curr_pic_s1[kMaxShortTermRefPicSets]; uint32_t used_by_curr_pic_s1[kMaxShortTermRefPicSets] = {};
// Calculated fields. // Calculated fields.
uint32_t num_delta_pocs; uint32_t num_delta_pocs = 0;
}; };
// The parsed state of the SPS. Only some select values are stored. // The parsed state of the SPS. Only some select values are stored.