Skip to content

Commit

Permalink
svcdec: Fixes for NULL dereferencing in inter-layer functions
Browse files Browse the repository at this point in the history 
Resolution level initialization is tracked in inter layer prediction functions

Bug = ossfuzz:62290
Test: svc_dec_fuzzer
  • Loading branch information
@MallikarjunKamble
MallikarjunKamble committed Nov 3, 2023
1 parent 196f0db commit 7a6d2d9
Show file tree
Hide file tree
Showing 5 changed files with 42 additions and 0 deletions.
1 change: 1 addition & 0 deletions decoder/svc/isvcd_api.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5183,6 +5183,7 @@ WORD32 isvcd_video_decode(iv_obj_t *dec_hdl, void *pv_api_ip, void *pv_api_op)
UWORD8 u1_layer_nal_data_present = 0;
ps_svcd_ctxt->u1_cur_layer_id = u1_res_id;
ps_svc_lyr_dec = ps_svcd_ctxt->ps_svc_dec_lyr + u1_res_id;
ps_svc_lyr_dec->u1_res_init_done = 0;
ps_dec = &ps_svc_lyr_dec->s_dec;

ps_dec->i4_decode_header = ps_dec_zero_lyr->i4_decode_header;
Expand Down
18 changes: 18 additions & 0 deletions decoder/svc/isvcd_parse_ebslice.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -266,6 +266,20 @@ WORD32 isvcd_mv_pred_ref_tfr_nby2_ebmb(dec_struct_t *ps_dec, UWORD8 u1_mb_idx, U
ps_dec->u1_currB_type = 0;
ps_dec->u2_mv_2mb[i & 0x1] = 0;

/* In case of error all the motion vectors are set to default value*/
if(ps_svc_lyr_dec->u1_res_init_done == 0)
{
mv_pred_t s_mvPred_temp = {{0, 0, 0, 0}, {-1, -1}, 0, 0};

if(ps_mv_nmb_start)
{
ih264d_rep_mv_colz(ps_dec, &s_mvPred_temp, ps_mv_nmb_start, 0,
(UWORD8) (u1_field << 1), 4, 4);
}
continue;
}


/* Look for MV Prediction and Reference Transfer in Non-I Mbs */
if(!ps_mb_part_info->u1_isI_mb)
{
Expand Down Expand Up @@ -622,6 +636,10 @@ WORD32 isvcd_mv_pred_ref_tfr_nby2_ebmb(dec_struct_t *ps_dec, UWORD8 u1_mb_idx, U
}
}
}

if(ps_svc_lyr_dec->u1_res_init_done == 0)
return NOT_OK;

return OK;
}

Expand Down
4 changes: 4 additions & 0 deletions decoder/svc/isvcd_parse_epslice.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3188,6 +3188,8 @@ WORD32 isvcd_parse_interlayer_resamp_func_init(svc_dec_lyr_struct_t *ps_svc_lyr_
dec_struct_t *ps_dec = &ps_svc_lyr_dec->s_dec;
dec_slice_params_t *ps_slice = ps_dec->ps_cur_slice;
WORD32 ret = OK;
if(ps_svc_lyr_dec->u1_res_init_done == 1)
return ret;

if(TARGET_LAYER != ps_svc_lyr_dec->u1_layer_identifier)
{
Expand All @@ -3209,6 +3211,8 @@ WORD32 isvcd_parse_interlayer_resamp_func_init(svc_dec_lyr_struct_t *ps_svc_lyr_
if(ret != OK) return NOT_OK;
ret = isvcd_residual_samp_res_init(ps_svc_lyr_dec);
if(ret != OK) return NOT_OK;

ps_svc_lyr_dec->u1_res_init_done = 1;
}

return ret;
Expand Down
18 changes: 18 additions & 0 deletions decoder/svc/isvcd_process_epslice.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -214,6 +214,21 @@ WORD32 isvcd_mv_pred_ref_tfr_nby2_epmb(dec_struct_t *ps_dec, UWORD8 u1_mb_idx, U
ps_dec->u2_mby = ps_cur_mb_info->u2_mby;
ps_dec->u2_mv_2mb[i & 0x1] = 0;

/* In case of error all the motion vectors are set to default value*/
if(ps_svc_lyr_dec->u1_res_init_done == 0)
{
mv_pred_t s_mvPred_temp = {{0, 0, 0, 0}, {-1, -1}, 0, 0};

if(ps_mv_nmb_start)
{
ih264d_rep_mv_colz(ps_dec, &s_mvPred_temp, ps_mv_nmb_start, 0,
(UWORD8) (u1_field << 1), 4, 4);
}
continue;
}



/* Look for MV Prediction and Reference Transfer in Non-I Mbs */
if(!ps_mb_part_info->u1_isI_mb)
{
Expand Down Expand Up @@ -485,6 +500,9 @@ WORD32 isvcd_mv_pred_ref_tfr_nby2_epmb(dec_struct_t *ps_dec, UWORD8 u1_mb_idx, U
}
}
}
if(ps_svc_lyr_dec->u1_res_init_done == 0)
return NOT_OK;

return OK;
}
/*!
Expand Down
1 change: 1 addition & 0 deletions decoder/svc/isvcd_structs.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -660,6 +660,7 @@ typedef struct _SvcDecLyrStruct
WORD32 i4_frm_svc_base_mode_cabac_size;
UWORD32 u4_pps_id_for_layer;
UWORD8 u1_error_in_cur_frame;
UWORD8 u1_res_init_done;
} svc_dec_lyr_struct_t;

typedef struct
Expand Down

0 comments on commit 7a6d2d9

Please sign in to comment.