mirror of
https://gitlab.com/mbunkus/mkvtoolnix.git
synced 2024-12-24 11:54:01 +00:00
HEVC parser: fix invalid memory access beyond the end of allocated space
The sps_t structure contains an array of 64 short_term_ref_pic_sets_t elements. Therefore at most 63 may be added to the base pointer short_term_ref_pic_sets for accessing one of those elements. Fixes the following test cases of #1780: explorer🆔000494,sig:11,src:001249,op:flip1,pos:63 explorer🆔000496,sig:06,src:001249,op:flip1,pos:92 explorer🆔000502,sig:06,src:001249,op:int8,pos:100,val:+32 explorer🆔000605,sig:11,src:001741,op:int32,pos:29,val:+0 explorer🆔000676,sig:06,src:002253,op:ext_AO,pos:101 explorer🆔000784,sig:11,src:002818,op:ext_AO,pos:103 explorer🆔000830,sig:11,src:003020,op:flip1,pos:103 explorer🆔000831,sig:11,src:003020,op:flip1,pos:104 explorer🆔000834,sig:11,src:003020,op:havoc,rep:2 explorer🆔000882,sig:11,src:003246,op:flip1,pos:123 explorer🆔000884,sig:11,src:003246,op:int8,pos:121,val:-128 explorer🆔000886,sig:06,src:003248,op:flip1,pos:106 explorer🆔000935,sig:11,src:003528,op:flip4,pos:130 explorer🆔000936,sig:11,src:003528,op:flip32,pos:127 explorer🆔000937,sig:11,src:003528,op:arith8,pos:130,val:+5 explorer🆔000938,sig:11,src:003528,op:int32,pos:127,val:+100 explorer🆔000939,sig:11,src:003528,op:int32,pos:128,val:+1 explorer🆔000974,sig:11,src:003742,op:flip1,pos:123 explorer🆔000975,sig:11,src:003746,op:flip1,pos:130 explorer🆔000976,sig:11,src:003746,op:flip1,pos:130 explorer🆔000977,sig:11,src:003746,op:flip1,pos:133 explorer🆔000978,sig:11,src:003746,op:flip1,pos:133 explorer🆔000979,sig:11,src:003746,op:flip2,pos:134 explorer🆔000980,sig:11,src:003746,op:arith8,pos:133,val:-3 explorer🆔001003,sig:11,src:003976,op:flip1,pos:127 explorer🆔001019,sig:11,src:004180,op:flip1,pos:9 explorer🆔001020,sig:11,src:004180,op:int32,pos:143,val:be:+1 explorer🆔001021,sig:11,src:004180,op:havoc,rep:2
This commit is contained in:
parent
7b7c7423d2
commit
8a3c7197a2
@ -1,5 +1,9 @@
|
||||
2016-09-06 Moritz Bunkus <moritz@bunkus.org>
|
||||
|
||||
* mkvmerge: bug fix: HEVC parser: fixed an invalid memory access
|
||||
(beyond the end of allocated space). Fixes several test cases of
|
||||
#1780.
|
||||
|
||||
* mkvmerge: bug fix: fixed an invalid memory access (use after
|
||||
free) during global destruction phase. Fixes several test cases of
|
||||
#1780.
|
||||
|
@ -703,6 +703,9 @@ short_term_ref_pic_set_copy(bit_reader_c &r,
|
||||
cur_st_rp_set->delta_idx = code + 1;
|
||||
ref_idx = idxRps - 1 - code;
|
||||
|
||||
if (ref_idx >= 64)
|
||||
throw false;
|
||||
|
||||
ref_st_rp_set = short_term_ref_pic_sets + ref_idx;
|
||||
|
||||
cur_st_rp_set->delta_rps_sign = w.copy_bits(1, r); // delta_rps_sign
|
||||
|
@ -404,3 +404,4 @@ T_555appending_with_square_brackets:cd1bfe07d702f4729d40d7f4476dfc41-cd1bfe07d70
|
||||
T_556prores:cefc5f55889463321b03075bcf9f5e7b-5fbfaf0b69674d62d4edb2e3d1f05eb4-42d78339046f12ae6885ffa3a7b4ac4c-f13f5e34d64f730ff73ba61a6f4cb00e-36827931dbfa0097418745e669892fd1-36827931dbfa0097418745e669892fd1:passed:20160806-201730:0.656227356
|
||||
T_557dts_hd_ma_xll_extension:96000-192000-7f61832d35165f4600c0ac06b3a109dc-7f61832d35165f4600c0ac06b3a109dc:passed:20160810-203155:1.196256604
|
||||
T_558segfaults_issue_1780_part_1:error-error-error-error-error:passed:20160906-210126:0.035867258
|
||||
T_559segfaults_issue_1780_part_2:error-error-error-error-error-error-error-error-error-error-error-error-error-error-error-error-error-error-error-error-error-error-error-error-error-error-error-error:passed:20160906-225430:0.206571838
|
||||
|
40
tests/test-559segfaults_issue_1780_part_2.rb
Executable file
40
tests/test-559segfaults_issue_1780_part_2.rb
Executable file
@ -0,0 +1,40 @@
|
||||
#!/usr/bin/ruby -w
|
||||
|
||||
# T_559segfaults_issue_1780_part_2
|
||||
describe "mkvmerge / various test cases for segfaults collected in issue 1780 part 2"
|
||||
|
||||
dir = "data/segfaults-assertions/issue-1780"
|
||||
|
||||
# "HEVC parser: fix invalid memory access beyond the end of allocated space"
|
||||
%w{
|
||||
explorer:id:000494,sig:11,src:001249,op:flip1,pos:63
|
||||
explorer:id:000496,sig:06,src:001249,op:flip1,pos:92
|
||||
explorer:id:000502,sig:06,src:001249,op:int8,pos:100,val:+32
|
||||
explorer:id:000605,sig:11,src:001741,op:int32,pos:29,val:+0
|
||||
explorer:id:000676,sig:06,src:002253,op:ext_AO,pos:101
|
||||
explorer:id:000784,sig:11,src:002818,op:ext_AO,pos:103
|
||||
explorer:id:000830,sig:11,src:003020,op:flip1,pos:103
|
||||
explorer:id:000831,sig:11,src:003020,op:flip1,pos:104
|
||||
explorer:id:000834,sig:11,src:003020,op:havoc,rep:2
|
||||
explorer:id:000882,sig:11,src:003246,op:flip1,pos:123
|
||||
explorer:id:000884,sig:11,src:003246,op:int8,pos:121,val:-128
|
||||
explorer:id:000886,sig:06,src:003248,op:flip1,pos:106
|
||||
explorer:id:000935,sig:11,src:003528,op:flip4,pos:130
|
||||
explorer:id:000936,sig:11,src:003528,op:flip32,pos:127
|
||||
explorer:id:000937,sig:11,src:003528,op:arith8,pos:130,val:+5
|
||||
explorer:id:000938,sig:11,src:003528,op:int32,pos:127,val:+100
|
||||
explorer:id:000939,sig:11,src:003528,op:int32,pos:128,val:+1
|
||||
explorer:id:000974,sig:11,src:003742,op:flip1,pos:123
|
||||
explorer:id:000975,sig:11,src:003746,op:flip1,pos:130
|
||||
explorer:id:000976,sig:11,src:003746,op:flip1,pos:130
|
||||
explorer:id:000977,sig:11,src:003746,op:flip1,pos:133
|
||||
explorer:id:000978,sig:11,src:003746,op:flip1,pos:133
|
||||
explorer:id:000979,sig:11,src:003746,op:flip2,pos:134
|
||||
explorer:id:000980,sig:11,src:003746,op:arith8,pos:133,val:-3
|
||||
explorer:id:001003,sig:11,src:003976,op:flip1,pos:127
|
||||
explorer:id:001019,sig:11,src:004180,op:flip1,pos:9
|
||||
explorer:id:001020,sig:11,src:004180,op:int32,pos:143,val:be:+1
|
||||
explorer:id:001021,sig:11,src:004180,op:havoc,rep:2
|
||||
}.each do |file|
|
||||
test_merge "#{dir}/#{file}", :exit_code => :error
|
||||
end
|
Loading…
Reference in New Issue
Block a user