HEVC parser: fix invalid memory access beyond the end of allocated space

The sps_t structure contains an array of 64 short_term_ref_pic_sets_t
elements. Therefore at most 63 may be added to the base pointer
short_term_ref_pic_sets for accessing one of those elements.

Fixes the following test cases of #1780:

explorer🆔000494,sig:11,src:001249,op:flip1,pos:63
explorer🆔000496,sig:06,src:001249,op:flip1,pos:92
explorer🆔000502,sig:06,src:001249,op:int8,pos:100,val:+32
explorer🆔000605,sig:11,src:001741,op:int32,pos:29,val:+0
explorer🆔000676,sig:06,src:002253,op:ext_AO,pos:101
explorer🆔000784,sig:11,src:002818,op:ext_AO,pos:103
explorer🆔000830,sig:11,src:003020,op:flip1,pos:103
explorer🆔000831,sig:11,src:003020,op:flip1,pos:104
explorer🆔000834,sig:11,src:003020,op:havoc,rep:2
explorer🆔000882,sig:11,src:003246,op:flip1,pos:123
explorer🆔000884,sig:11,src:003246,op:int8,pos:121,val:-128
explorer🆔000886,sig:06,src:003248,op:flip1,pos:106
explorer🆔000935,sig:11,src:003528,op:flip4,pos:130
explorer🆔000936,sig:11,src:003528,op:flip32,pos:127
explorer🆔000937,sig:11,src:003528,op:arith8,pos:130,val:+5
explorer🆔000938,sig:11,src:003528,op:int32,pos:127,val:+100
explorer🆔000939,sig:11,src:003528,op:int32,pos:128,val:+1
explorer🆔000974,sig:11,src:003742,op:flip1,pos:123
explorer🆔000975,sig:11,src:003746,op:flip1,pos:130
explorer🆔000976,sig:11,src:003746,op:flip1,pos:130
explorer🆔000977,sig:11,src:003746,op:flip1,pos:133
explorer🆔000978,sig:11,src:003746,op:flip1,pos:133
explorer🆔000979,sig:11,src:003746,op:flip2,pos:134
explorer🆔000980,sig:11,src:003746,op:arith8,pos:133,val:-3
explorer🆔001003,sig:11,src:003976,op:flip1,pos:127
explorer🆔001019,sig:11,src:004180,op:flip1,pos:9
explorer🆔001020,sig:11,src:004180,op:int32,pos:143,val:be:+1
explorer🆔001021,sig:11,src:004180,op:havoc,rep:2
This commit is contained in:
Moritz Bunkus 2016-09-06 21:43:30 +02:00
parent 7b7c7423d2
commit 8a3c7197a2
4 changed files with 48 additions and 0 deletions

View File

@ -1,5 +1,9 @@
2016-09-06 Moritz Bunkus <moritz@bunkus.org>
* mkvmerge: bug fix: HEVC parser: fixed an invalid memory access
(beyond the end of allocated space). Fixes several test cases of
#1780.
* mkvmerge: bug fix: fixed an invalid memory access (use after
free) during global destruction phase. Fixes several test cases of
#1780.

View File

@ -703,6 +703,9 @@ short_term_ref_pic_set_copy(bit_reader_c &r,
cur_st_rp_set->delta_idx = code + 1;
ref_idx = idxRps - 1 - code;
if (ref_idx >= 64)
throw false;
ref_st_rp_set = short_term_ref_pic_sets + ref_idx;
cur_st_rp_set->delta_rps_sign = w.copy_bits(1, r); // delta_rps_sign

View File

@ -404,3 +404,4 @@ T_555appending_with_square_brackets:cd1bfe07d702f4729d40d7f4476dfc41-cd1bfe07d70
T_556prores:cefc5f55889463321b03075bcf9f5e7b-5fbfaf0b69674d62d4edb2e3d1f05eb4-42d78339046f12ae6885ffa3a7b4ac4c-f13f5e34d64f730ff73ba61a6f4cb00e-36827931dbfa0097418745e669892fd1-36827931dbfa0097418745e669892fd1:passed:20160806-201730:0.656227356
T_557dts_hd_ma_xll_extension:96000-192000-7f61832d35165f4600c0ac06b3a109dc-7f61832d35165f4600c0ac06b3a109dc:passed:20160810-203155:1.196256604
T_558segfaults_issue_1780_part_1:error-error-error-error-error:passed:20160906-210126:0.035867258
T_559segfaults_issue_1780_part_2:error-error-error-error-error-error-error-error-error-error-error-error-error-error-error-error-error-error-error-error-error-error-error-error-error-error-error-error:passed:20160906-225430:0.206571838

View File

@ -0,0 +1,40 @@
#!/usr/bin/ruby -w
# T_559segfaults_issue_1780_part_2
describe "mkvmerge / various test cases for segfaults collected in issue 1780 part 2"
dir = "data/segfaults-assertions/issue-1780"
# "HEVC parser: fix invalid memory access beyond the end of allocated space"
%w{
explorer:id:000494,sig:11,src:001249,op:flip1,pos:63
explorer:id:000496,sig:06,src:001249,op:flip1,pos:92
explorer:id:000502,sig:06,src:001249,op:int8,pos:100,val:+32
explorer:id:000605,sig:11,src:001741,op:int32,pos:29,val:+0
explorer:id:000676,sig:06,src:002253,op:ext_AO,pos:101
explorer:id:000784,sig:11,src:002818,op:ext_AO,pos:103
explorer:id:000830,sig:11,src:003020,op:flip1,pos:103
explorer:id:000831,sig:11,src:003020,op:flip1,pos:104
explorer:id:000834,sig:11,src:003020,op:havoc,rep:2
explorer:id:000882,sig:11,src:003246,op:flip1,pos:123
explorer:id:000884,sig:11,src:003246,op:int8,pos:121,val:-128
explorer:id:000886,sig:06,src:003248,op:flip1,pos:106
explorer:id:000935,sig:11,src:003528,op:flip4,pos:130
explorer:id:000936,sig:11,src:003528,op:flip32,pos:127
explorer:id:000937,sig:11,src:003528,op:arith8,pos:130,val:+5
explorer:id:000938,sig:11,src:003528,op:int32,pos:127,val:+100
explorer:id:000939,sig:11,src:003528,op:int32,pos:128,val:+1
explorer:id:000974,sig:11,src:003742,op:flip1,pos:123
explorer:id:000975,sig:11,src:003746,op:flip1,pos:130
explorer:id:000976,sig:11,src:003746,op:flip1,pos:130
explorer:id:000977,sig:11,src:003746,op:flip1,pos:133
explorer:id:000978,sig:11,src:003746,op:flip1,pos:133
explorer:id:000979,sig:11,src:003746,op:flip2,pos:134
explorer:id:000980,sig:11,src:003746,op:arith8,pos:133,val:-3
explorer:id:001003,sig:11,src:003976,op:flip1,pos:127
explorer:id:001019,sig:11,src:004180,op:flip1,pos:9
explorer:id:001020,sig:11,src:004180,op:int32,pos:143,val:be:+1
explorer:id:001021,sig:11,src:004180,op:havoc,rep:2
}.each do |file|
test_merge "#{dir}/#{file}", :exit_code => :error
end