avcodec/hevcdec: Check for overlapping slices

Fixes: Timeout
Fixes: 10108/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-6222384351674368
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

diff --git a/libavcodec/hevcdec.c b/libavcodec/hevcdec.c
index a3b5c8cb71e5daf688e24d8637e49522c503430f..10bf2563c060b8c80da4124ea27b86b5d5979c78 100644 (file)
--- a/libavcodec/hevcdec.c
+++ b/libavcodec/hevcdec.c
@@ -2942,6 +2942,7 @@ static int decode_nal_unit(HEVCContext *s, const H2645NAL *nal)
                     s->max_ra = INT_MIN;
             }
 
+            s->overlap ++;
             ret = hevc_frame_start(s);
             if (ret < 0)
                 return ret;
@@ -3020,6 +3021,7 @@ static int decode_nal_units(HEVCContext *s, const uint8_t *buf, int length)
     s->ref = NULL;
     s->last_eos = s->eos;
     s->eos = 0;
+    s->overlap = 0;
 
     /* split the input packet into NAL units, so we know the upper bound on the
      * number of slices in the frame */
@@ -3054,6 +3056,8 @@ static int decode_nal_units(HEVCContext *s, const uint8_t *buf, int length)
             continue;
 
         ret = decode_nal_unit(s, nal);
+        if (ret >= 0 && s->overlap > 2)
+            ret = AVERROR_INVALIDDATA;
         if (ret < 0) {
             av_log(s->avctx, AV_LOG_WARNING,
                    "Error parsing NAL unit #%d.\n", i);

diff --git a/libavcodec/hevcdec.h b/libavcodec/hevcdec.h
index dd951aae065a06e3a98ddc9b57373c92159369a6..b45969b7e233727f6d8207bbf8bdf5697736bd70 100644 (file)
--- a/libavcodec/hevcdec.h
+++ b/libavcodec/hevcdec.h
@@ -430,6 +430,7 @@ typedef struct HEVCContext {
     int max_ra;
     int bs_width;
     int bs_height;
+    int overlap;
 
     int is_decoded;
     int no_rasl_output_flag;