h264: fix memory filling up in case of malicious SPS (#153)

When CpbCntMinus1 is set to unreasonably high values, the RAM fills up.
bluenviron · Oct 20, 2024 · 05af021 · 05af021
1 parent 058cf2b
commit 05af021
Show file tree

Hide file tree

Showing 6 changed files with 14 additions and 0 deletions.
diff --git a/pkg/codecs/h264/sps.go b/pkg/codecs/h264/sps.go
@@ -65,6 +65,10 @@ func (h *SPS_HRD) unmarshal(buf []byte, pos *int) error {
 		return err
 	}
 
+	if h.CpbCntMinus1 > 31 {
+		return fmt.Errorf("invalid cpb_cnt_minus1")
+	}
+
 	h.BitRateScale = uint8(bits.ReadBitsUnsafe(buf, pos, 4))
 	h.CpbSizeScale = uint8(bits.ReadBitsUnsafe(buf, pos, 4))
 

diff --git a/pkg/codecs/h264/testdata/fuzz/FuzzSPSUnmarshal/65723675a245f75c b/pkg/codecs/h264/testdata/fuzz/FuzzSPSUnmarshal/65723675a245f75c
@@ -0,0 +1,2 @@
+go test fuzz v1
+[]byte("'z00]")
diff --git a/pkg/codecs/h264/testdata/fuzz/FuzzSPSUnmarshal/c5a5368bc88a516b b/pkg/codecs/h264/testdata/fuzz/FuzzSPSUnmarshal/c5a5368bc88a516b
@@ -0,0 +1,2 @@
+go test fuzz v1
+[]byte("gd\x00\f\xac;l\xb0KB\x00\x00\x03\x02\x00\x00\x03\x00=\b")
diff --git a/pkg/codecs/h264/testdata/fuzz/FuzzSPSUnmarshal/cb118e6139f5f66d b/pkg/codecs/h264/testdata/fuzz/FuzzSPSUnmarshal/cb118e6139f5f66d
@@ -0,0 +1,2 @@
+go test fuzz v1
+[]byte("gd\x00\f\xac;M\xb0KB\x00\x00\x00\x02\x00\x00\x03\x00=\b")
diff --git a/pkg/codecs/h264/testdata/fuzz/FuzzSPSUnmarshal/d4c5133ac78913be b/pkg/codecs/h264/testdata/fuzz/FuzzSPSUnmarshal/d4c5133ac78913be
@@ -0,0 +1,2 @@
+go test fuzz v1
+[]byte("'z001000")
diff --git a/pkg/codecs/h264/testdata/fuzz/FuzzSPSUnmarshal/fb13f5b503d117ae b/pkg/codecs/h264/testdata/fuzz/FuzzSPSUnmarshal/fb13f5b503d117ae
@@ -0,0 +1,2 @@
+go test fuzz v1
+[]byte("gd\x00\x1f\xac\xd9@P\x05\xbb\x01l@\x00\x00\x03\x00\x80\x00\x00\x1e\a\x8c\x18\xcb")