Fix integer overflow in h264 pps parser
Bug: chromium:1250730
Change-Id: Idda8e92262af7c3190698e1fb5ba001f6de55c47
Reviewed-on: https://webrtc-review.googlesource.com/c/src/+/232327
Reviewed-by: Erik Språng <sprang@webrtc.org>
Reviewed-by: Stefan Holmer <stefan@webrtc.org>
Commit-Queue: Danil Chapovalov <danilchap@webrtc.org>
Cr-Commit-Position: refs/heads/main@{#35036}
diff --git a/common_video/h264/pps_parser.cc b/common_video/h264/pps_parser.cc
index 8e52ec1..2fc9749 100644
--- a/common_video/h264/pps_parser.cc
+++ b/common_video/h264/pps_parser.cc
@@ -11,6 +11,7 @@
#include "common_video/h264/pps_parser.h"
#include <cstdint>
+#include <limits>
#include <vector>
#include "absl/numeric/bits.h"
@@ -116,7 +117,12 @@
// slice_group_id: array of size pic_size_in_map_units, each element
// is represented by ceil(log2(num_slice_groups_minus1 + 1)) bits.
- reader.ConsumeBits(slice_group_id_bits * pic_size_in_map_units);
+ int64_t bits_to_consume =
+ int64_t{slice_group_id_bits} * pic_size_in_map_units;
+ if (!reader.Ok() || bits_to_consume > std::numeric_limits<int>::max()) {
+ return absl::nullopt;
+ }
+ reader.ConsumeBits(bits_to_consume);
}
}
// num_ref_idx_l0_default_active_minus1: ue(v)
diff --git a/test/fuzzers/BUILD.gn b/test/fuzzers/BUILD.gn
index 171577a..27badf2 100644
--- a/test/fuzzers/BUILD.gn
+++ b/test/fuzzers/BUILD.gn
@@ -78,6 +78,7 @@
webrtc_fuzzer_test("h264_depacketizer_fuzzer") {
sources = [ "h264_depacketizer_fuzzer.cc" ]
deps = [ "../../modules/rtp_rtcp" ]
+ seed_corpus = "corpora/h264-depacketizer-fuzzer-corpus"
}
webrtc_fuzzer_test("vp8_depacketizer_fuzzer") {
diff --git a/test/fuzzers/corpora/h264-depacketizer-fuzzer-corpus/h264-0 b/test/fuzzers/corpora/h264-depacketizer-fuzzer-corpus/h264-0
new file mode 100644
index 0000000..dbe089f
--- /dev/null
+++ b/test/fuzzers/corpora/h264-depacketizer-fuzzer-corpus/h264-0
Binary files differ