From 7a6d2d953feda331d95941424b511a81767a7d75 Mon Sep 17 00:00:00 2001
From: Mallikarjun Kamble <mallikarjun.kamble@ittiam.com>
Date: Fri, 27 Oct 2023 17:40:44 +0530
Subject: [PATCH] svcdec: Fixes for NULL dereferencing in inter-layer functions

Resolution level initialization is tracked in inter layer prediction functions

Bug = ossfuzz:62290
Test: svc_dec_fuzzer
---
 decoder/svc/isvcd_api.c             |  1 +
 decoder/svc/isvcd_parse_ebslice.c   | 18 ++++++++++++++++++
 decoder/svc/isvcd_parse_epslice.c   |  4 ++++
 decoder/svc/isvcd_process_epslice.c | 18 ++++++++++++++++++
 decoder/svc/isvcd_structs.h         |  1 +
 5 files changed, 42 insertions(+)

diff --git a/decoder/svc/isvcd_api.c b/decoder/svc/isvcd_api.c
index c449fba6..f3ac7780 100644
--- a/decoder/svc/isvcd_api.c
+++ b/decoder/svc/isvcd_api.c
@@ -5183,6 +5183,7 @@ WORD32 isvcd_video_decode(iv_obj_t *dec_hdl, void *pv_api_ip, void *pv_api_op)
                 UWORD8 u1_layer_nal_data_present = 0;
                 ps_svcd_ctxt->u1_cur_layer_id = u1_res_id;
                 ps_svc_lyr_dec = ps_svcd_ctxt->ps_svc_dec_lyr + u1_res_id;
+                ps_svc_lyr_dec->u1_res_init_done = 0;
                 ps_dec = &ps_svc_lyr_dec->s_dec;
 
                 ps_dec->i4_decode_header = ps_dec_zero_lyr->i4_decode_header;
diff --git a/decoder/svc/isvcd_parse_ebslice.c b/decoder/svc/isvcd_parse_ebslice.c
index d805764a..c434d792 100644
--- a/decoder/svc/isvcd_parse_ebslice.c
+++ b/decoder/svc/isvcd_parse_ebslice.c
@@ -266,6 +266,20 @@ WORD32 isvcd_mv_pred_ref_tfr_nby2_ebmb(dec_struct_t *ps_dec, UWORD8 u1_mb_idx, U
         ps_dec->u1_currB_type = 0;
         ps_dec->u2_mv_2mb[i & 0x1] = 0;
 
+        /* In case of error all the motion vectors are set to default value*/
+        if(ps_svc_lyr_dec->u1_res_init_done == 0)
+        {
+            mv_pred_t s_mvPred_temp = {{0, 0, 0, 0}, {-1, -1}, 0, 0};
+
+            if(ps_mv_nmb_start)
+            {
+                ih264d_rep_mv_colz(ps_dec, &s_mvPred_temp, ps_mv_nmb_start, 0,
+                                    (UWORD8) (u1_field << 1), 4, 4);
+            }
+            continue;
+        }
+
+
         /* Look for MV Prediction and Reference Transfer in Non-I Mbs */
         if(!ps_mb_part_info->u1_isI_mb)
         {
@@ -622,6 +636,10 @@ WORD32 isvcd_mv_pred_ref_tfr_nby2_ebmb(dec_struct_t *ps_dec, UWORD8 u1_mb_idx, U
             }
         }
     }
+
+    if(ps_svc_lyr_dec->u1_res_init_done == 0)
+        return NOT_OK;
+
     return OK;
 }
 
diff --git a/decoder/svc/isvcd_parse_epslice.c b/decoder/svc/isvcd_parse_epslice.c
index bfd32bbb..7603049b 100644
--- a/decoder/svc/isvcd_parse_epslice.c
+++ b/decoder/svc/isvcd_parse_epslice.c
@@ -3188,6 +3188,8 @@ WORD32 isvcd_parse_interlayer_resamp_func_init(svc_dec_lyr_struct_t *ps_svc_lyr_
     dec_struct_t *ps_dec = &ps_svc_lyr_dec->s_dec;
     dec_slice_params_t *ps_slice = ps_dec->ps_cur_slice;
     WORD32 ret = OK;
+    if(ps_svc_lyr_dec->u1_res_init_done == 1)
+        return ret;
 
     if(TARGET_LAYER != ps_svc_lyr_dec->u1_layer_identifier)
     {
@@ -3209,6 +3211,8 @@ WORD32 isvcd_parse_interlayer_resamp_func_init(svc_dec_lyr_struct_t *ps_svc_lyr_
         if(ret != OK) return NOT_OK;
         ret = isvcd_residual_samp_res_init(ps_svc_lyr_dec);
         if(ret != OK) return NOT_OK;
+
+        ps_svc_lyr_dec->u1_res_init_done = 1;
     }
 
     return ret;
diff --git a/decoder/svc/isvcd_process_epslice.c b/decoder/svc/isvcd_process_epslice.c
index cbcce8c9..308d5190 100644
--- a/decoder/svc/isvcd_process_epslice.c
+++ b/decoder/svc/isvcd_process_epslice.c
@@ -214,6 +214,21 @@ WORD32 isvcd_mv_pred_ref_tfr_nby2_epmb(dec_struct_t *ps_dec, UWORD8 u1_mb_idx, U
         ps_dec->u2_mby = ps_cur_mb_info->u2_mby;
         ps_dec->u2_mv_2mb[i & 0x1] = 0;
 
+        /* In case of error all the motion vectors are set to default value*/
+        if(ps_svc_lyr_dec->u1_res_init_done == 0)
+        {
+            mv_pred_t s_mvPred_temp = {{0, 0, 0, 0}, {-1, -1}, 0, 0};
+
+            if(ps_mv_nmb_start)
+            {
+                ih264d_rep_mv_colz(ps_dec, &s_mvPred_temp, ps_mv_nmb_start, 0,
+                                    (UWORD8) (u1_field << 1), 4, 4);
+            }
+            continue;
+        }
+
+
+
         /* Look for MV Prediction and Reference Transfer in Non-I Mbs */
         if(!ps_mb_part_info->u1_isI_mb)
         {
@@ -485,6 +500,9 @@ WORD32 isvcd_mv_pred_ref_tfr_nby2_epmb(dec_struct_t *ps_dec, UWORD8 u1_mb_idx, U
             }
         }
     }
+    if(ps_svc_lyr_dec->u1_res_init_done == 0)
+        return NOT_OK;
+
     return OK;
 }
 /*!
diff --git a/decoder/svc/isvcd_structs.h b/decoder/svc/isvcd_structs.h
index 19592026..fefd32d5 100644
--- a/decoder/svc/isvcd_structs.h
+++ b/decoder/svc/isvcd_structs.h
@@ -660,6 +660,7 @@ typedef struct _SvcDecLyrStruct
     WORD32 i4_frm_svc_base_mode_cabac_size;
     UWORD32 u4_pps_id_for_layer;
     UWORD8 u1_error_in_cur_frame;
+    UWORD8 u1_res_init_done;
 } svc_dec_lyr_struct_t;
 
 typedef struct