From 8a3c7197a263f258063939109018a01fe7e8e5d2 Mon Sep 17 00:00:00 2001 From: Moritz Bunkus Date: Tue, 6 Sep 2016 21:43:30 +0200 Subject: [PATCH] HEVC parser: fix invalid memory access beyond the end of allocated space The sps_t structure contains an array of 64 short_term_ref_pic_sets_t elements. Therefore at most 63 may be added to the base pointer short_term_ref_pic_sets for accessing one of those elements. Fixes the following test cases of #1780: explorer:id:000494,sig:11,src:001249,op:flip1,pos:63 explorer:id:000496,sig:06,src:001249,op:flip1,pos:92 explorer:id:000502,sig:06,src:001249,op:int8,pos:100,val:+32 explorer:id:000605,sig:11,src:001741,op:int32,pos:29,val:+0 explorer:id:000676,sig:06,src:002253,op:ext_AO,pos:101 explorer:id:000784,sig:11,src:002818,op:ext_AO,pos:103 explorer:id:000830,sig:11,src:003020,op:flip1,pos:103 explorer:id:000831,sig:11,src:003020,op:flip1,pos:104 explorer:id:000834,sig:11,src:003020,op:havoc,rep:2 explorer:id:000882,sig:11,src:003246,op:flip1,pos:123 explorer:id:000884,sig:11,src:003246,op:int8,pos:121,val:-128 explorer:id:000886,sig:06,src:003248,op:flip1,pos:106 explorer:id:000935,sig:11,src:003528,op:flip4,pos:130 explorer:id:000936,sig:11,src:003528,op:flip32,pos:127 explorer:id:000937,sig:11,src:003528,op:arith8,pos:130,val:+5 explorer:id:000938,sig:11,src:003528,op:int32,pos:127,val:+100 explorer:id:000939,sig:11,src:003528,op:int32,pos:128,val:+1 explorer:id:000974,sig:11,src:003742,op:flip1,pos:123 explorer:id:000975,sig:11,src:003746,op:flip1,pos:130 explorer:id:000976,sig:11,src:003746,op:flip1,pos:130 explorer:id:000977,sig:11,src:003746,op:flip1,pos:133 explorer:id:000978,sig:11,src:003746,op:flip1,pos:133 explorer:id:000979,sig:11,src:003746,op:flip2,pos:134 explorer:id:000980,sig:11,src:003746,op:arith8,pos:133,val:-3 explorer:id:001003,sig:11,src:003976,op:flip1,pos:127 explorer:id:001019,sig:11,src:004180,op:flip1,pos:9 explorer:id:001020,sig:11,src:004180,op:int32,pos:143,val:be:+1 explorer:id:001021,sig:11,src:004180,op:havoc,rep:2 --- ChangeLog | 4 ++ src/common/hevc.cpp | 3 ++ tests/results.txt | 1 + tests/test-559segfaults_issue_1780_part_2.rb | 40 ++++++++++++++++++++ 4 files changed, 48 insertions(+) create mode 100755 tests/test-559segfaults_issue_1780_part_2.rb diff --git a/ChangeLog b/ChangeLog index f0b878f9e..b0191e4d3 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,9 @@ 2016-09-06 Moritz Bunkus + * mkvmerge: bug fix: HEVC parser: fixed an invalid memory access + (beyond the end of allocated space). Fixes several test cases of + #1780. + * mkvmerge: bug fix: fixed an invalid memory access (use after free) during global destruction phase. Fixes several test cases of #1780. diff --git a/src/common/hevc.cpp b/src/common/hevc.cpp index badd4fe78..c21430fa6 100644 --- a/src/common/hevc.cpp +++ b/src/common/hevc.cpp @@ -703,6 +703,9 @@ short_term_ref_pic_set_copy(bit_reader_c &r, cur_st_rp_set->delta_idx = code + 1; ref_idx = idxRps - 1 - code; + if (ref_idx >= 64) + throw false; + ref_st_rp_set = short_term_ref_pic_sets + ref_idx; cur_st_rp_set->delta_rps_sign = w.copy_bits(1, r); // delta_rps_sign diff --git a/tests/results.txt b/tests/results.txt index b50387375..249b1eaa3 100644 --- a/tests/results.txt +++ b/tests/results.txt @@ -404,3 +404,4 @@ T_555appending_with_square_brackets:cd1bfe07d702f4729d40d7f4476dfc41-cd1bfe07d70 T_556prores:cefc5f55889463321b03075bcf9f5e7b-5fbfaf0b69674d62d4edb2e3d1f05eb4-42d78339046f12ae6885ffa3a7b4ac4c-f13f5e34d64f730ff73ba61a6f4cb00e-36827931dbfa0097418745e669892fd1-36827931dbfa0097418745e669892fd1:passed:20160806-201730:0.656227356 T_557dts_hd_ma_xll_extension:96000-192000-7f61832d35165f4600c0ac06b3a109dc-7f61832d35165f4600c0ac06b3a109dc:passed:20160810-203155:1.196256604 T_558segfaults_issue_1780_part_1:error-error-error-error-error:passed:20160906-210126:0.035867258 +T_559segfaults_issue_1780_part_2:error-error-error-error-error-error-error-error-error-error-error-error-error-error-error-error-error-error-error-error-error-error-error-error-error-error-error-error:passed:20160906-225430:0.206571838 diff --git a/tests/test-559segfaults_issue_1780_part_2.rb b/tests/test-559segfaults_issue_1780_part_2.rb new file mode 100755 index 000000000..e72ccd0b7 --- /dev/null +++ b/tests/test-559segfaults_issue_1780_part_2.rb @@ -0,0 +1,40 @@ +#!/usr/bin/ruby -w + +# T_559segfaults_issue_1780_part_2 +describe "mkvmerge / various test cases for segfaults collected in issue 1780 part 2" + +dir = "data/segfaults-assertions/issue-1780" + +# "HEVC parser: fix invalid memory access beyond the end of allocated space" +%w{ +explorer:id:000494,sig:11,src:001249,op:flip1,pos:63 +explorer:id:000496,sig:06,src:001249,op:flip1,pos:92 +explorer:id:000502,sig:06,src:001249,op:int8,pos:100,val:+32 +explorer:id:000605,sig:11,src:001741,op:int32,pos:29,val:+0 +explorer:id:000676,sig:06,src:002253,op:ext_AO,pos:101 +explorer:id:000784,sig:11,src:002818,op:ext_AO,pos:103 +explorer:id:000830,sig:11,src:003020,op:flip1,pos:103 +explorer:id:000831,sig:11,src:003020,op:flip1,pos:104 +explorer:id:000834,sig:11,src:003020,op:havoc,rep:2 +explorer:id:000882,sig:11,src:003246,op:flip1,pos:123 +explorer:id:000884,sig:11,src:003246,op:int8,pos:121,val:-128 +explorer:id:000886,sig:06,src:003248,op:flip1,pos:106 +explorer:id:000935,sig:11,src:003528,op:flip4,pos:130 +explorer:id:000936,sig:11,src:003528,op:flip32,pos:127 +explorer:id:000937,sig:11,src:003528,op:arith8,pos:130,val:+5 +explorer:id:000938,sig:11,src:003528,op:int32,pos:127,val:+100 +explorer:id:000939,sig:11,src:003528,op:int32,pos:128,val:+1 +explorer:id:000974,sig:11,src:003742,op:flip1,pos:123 +explorer:id:000975,sig:11,src:003746,op:flip1,pos:130 +explorer:id:000976,sig:11,src:003746,op:flip1,pos:130 +explorer:id:000977,sig:11,src:003746,op:flip1,pos:133 +explorer:id:000978,sig:11,src:003746,op:flip1,pos:133 +explorer:id:000979,sig:11,src:003746,op:flip2,pos:134 +explorer:id:000980,sig:11,src:003746,op:arith8,pos:133,val:-3 +explorer:id:001003,sig:11,src:003976,op:flip1,pos:127 +explorer:id:001019,sig:11,src:004180,op:flip1,pos:9 +explorer:id:001020,sig:11,src:004180,op:int32,pos:143,val:be:+1 +explorer:id:001021,sig:11,src:004180,op:havoc,rep:2 +}.each do |file| + test_merge "#{dir}/#{file}", :exit_code => :error +end