shithub: openh264

Download patch

ref: 77406e6a66ae9c58b5ef3e7a37ac2714b8a0db9f
parent: d9c90051dc36c9a387a4f9ae8f22e044f7b755db
author: xiaotianshi2 <[email protected]>
date: Sat Oct 10 18:34:14 EDT 2020

fix ossfuzz issue: decoder hits infinite loop when iMaxLongTermFrameIdx is invalid (exceeds the maximum)

--- a/codec/decoder/core/src/decoder_core.cpp
+++ b/codec/decoder/core/src/decoder_core.cpp
@@ -543,7 +543,12 @@
           WELS_VERIFY_RETURN_IF (-1, bMmco4Exist);
           bMmco4Exist = true;
           WELS_READ_VERIFY (BsGetUe (pBs, &uiCode)); //max_long_term_frame_idx_plus1
-          kpRefMarking->sMmcoRef[iIdx].iMaxLongTermFrameIdx = -1 + uiCode;
+          int32_t iMaxLongTermFrameIdx = -1 + uiCode;
+          if (iMaxLongTermFrameIdx > int32_t (pSps->uiLog2MaxFrameNum)) {
+            //ISO/IEC 14496-10:2009(E) 7.4.3.3 Decoded reference picture marking semantics page 96
+            return GENERATE_ERROR_NO (ERR_LEVEL_SLICE_HEADER, ERR_INFO_INVALID_REF_MARKING);
+          }
+          kpRefMarking->sMmcoRef[iIdx].iMaxLongTermFrameIdx = iMaxLongTermFrameIdx;
         } else if (kuiMmco == MMCO_RESET) {
           WELS_VERIFY_RETURN_IF (-1, (!bAllowMmco5 || bMmco5Exist));
           bMmco5Exist = true;