ref: 77406e6a66ae9c58b5ef3e7a37ac2714b8a0db9f
parent: d9c90051dc36c9a387a4f9ae8f22e044f7b755db
author: xiaotianshi2 <[email protected]>
date: Sat Oct 10 18:34:14 EDT 2020
fix ossfuzz issue: decoder hits infinite loop when iMaxLongTermFrameIdx is invalid (exceeds the maximum)
--- a/codec/decoder/core/src/decoder_core.cpp
+++ b/codec/decoder/core/src/decoder_core.cpp
@@ -543,7 +543,12 @@
WELS_VERIFY_RETURN_IF (-1, bMmco4Exist);
bMmco4Exist = true;
WELS_READ_VERIFY (BsGetUe (pBs, &uiCode)); //max_long_term_frame_idx_plus1
- kpRefMarking->sMmcoRef[iIdx].iMaxLongTermFrameIdx = -1 + uiCode;
+ int32_t iMaxLongTermFrameIdx = -1 + uiCode;
+ if (iMaxLongTermFrameIdx > int32_t (pSps->uiLog2MaxFrameNum)) {
+ //ISO/IEC 14496-10:2009(E) 7.4.3.3 Decoded reference picture marking semantics page 96
+ return GENERATE_ERROR_NO (ERR_LEVEL_SLICE_HEADER, ERR_INFO_INVALID_REF_MARKING);
+ }
+ kpRefMarking->sMmcoRef[iIdx].iMaxLongTermFrameIdx = iMaxLongTermFrameIdx;
} else if (kuiMmco == MMCO_RESET) {
WELS_VERIFY_RETURN_IF (-1, (!bAllowMmco5 || bMmco5Exist));
bMmco5Exist = true;