Skip to content

decoder: fix heap-buffer-overflow in Intra_PCM decoding#3950

Open
bwendling wants to merge 1 commit into
cisco:masterfrom
bwendling:heap-buffer-overflow
Open

decoder: fix heap-buffer-overflow in Intra_PCM decoding#3950
bwendling wants to merge 1 commit into
cisco:masterfrom
bwendling:heap-buffer-overflow

Conversation

@bwendling

Copy link
Copy Markdown

Fix a heap-buffer-overflow vulnerability in
WelsActualDecodeMbCavlcISlice, WelsActualDecodeMbCavlcPSlice, and WelsActualDecodeMbCavlcBSlice when handling MB_TYPE_INTRA_PCM macroblocks.

The decoder previously performed an unconditional read of 384 bytes from the bitstream buffer without verifying the remaining buffer size or the uiChromaFormatIdc value. On truncated or malformed bitstreams, this resulted in reading past pBs->pEndBuf. Additionally, the code incorrectly attempted to process chroma data for monochrome (4:0:0) streams.

Changes:

  • Added a boundary check against pBs->pEndBuf before reading PCM data.
  • Calculated required data size (384 bytes for 4:2:0, 256 bytes for 4:0:0) based on uiChromaFormatIdc.
  • Conditioned chroma data copying and bitstream pointer advancement on the chroma format.
  • Ensured pBs->pCurBuf is advanced by the correct byte count.

This fix prevents out-of-bounds access when pBs->pCurBuf - iIndex + size exceeds the allocated bitstream buffer.

Fixes: https://issues.oss-fuzz.com/issues/479908882

Fix a heap-buffer-overflow vulnerability in
`WelsActualDecodeMbCavlcISlice`, `WelsActualDecodeMbCavlcPSlice`, and
`WelsActualDecodeMbCavlcBSlice` when handling `MB_TYPE_INTRA_PCM`
macroblocks.

The decoder previously performed an unconditional read of 384 bytes from
the bitstream buffer without verifying the remaining buffer size or the
`uiChromaFormatIdc` value. On truncated or malformed bitstreams, this
resulted in reading past `pBs->pEndBuf`. Additionally, the code
incorrectly attempted to process chroma data for monochrome (4:0:0)
streams.

Changes:
- Added a boundary check against `pBs->pEndBuf` before reading PCM data.
- Calculated required data size (384 bytes for 4:2:0, 256 bytes for 4:0:0)
  based on `uiChromaFormatIdc`.
- Conditioned chroma data copying and bitstream pointer advancement on
  the chroma format.
- Ensured `pBs->pCurBuf` is advanced by the correct byte count.

This fix prevents out-of-bounds access when `pBs->pCurBuf - iIndex + size`
exceeds the allocated bitstream buffer.

Co-authored-by: CodeMender <codemender-patching@google.com>
Fixes: https://issues.oss-fuzz.com/issues/479908882
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants