ref: be8e62ff47c9d7967e9f402baabe34de1482ec86
parent: 0ad782525ec14a5188a441bbc30f811576b529b7
parent: 77406e6a66ae9c58b5ef3e7a37ac2714b8a0db9f
author: huili2 <huili2@cisco.com>
date: Mon Oct 12 04:32:55 EDT 2020
Merge pull request #3348 from xiaotianshi2/ossfuzz-issue-25895 fix ossfuzz issue: decoder hits infinite loop when iMaxLongTermFrameIdx is invalid (exceeds the maximum).
--- a/codec/decoder/core/src/decoder_core.cpp
+++ b/codec/decoder/core/src/decoder_core.cpp
@@ -543,7 +543,12 @@
WELS_VERIFY_RETURN_IF (-1, bMmco4Exist);
bMmco4Exist = true;
WELS_READ_VERIFY (BsGetUe (pBs, &uiCode)); //max_long_term_frame_idx_plus1
- kpRefMarking->sMmcoRef[iIdx].iMaxLongTermFrameIdx = -1 + uiCode;
+ int32_t iMaxLongTermFrameIdx = -1 + uiCode;
+ if (iMaxLongTermFrameIdx > int32_t (pSps->uiLog2MaxFrameNum)) {+ //ISO/IEC 14496-10:2009(E) 7.4.3.3 Decoded reference picture marking semantics page 96
+ return GENERATE_ERROR_NO (ERR_LEVEL_SLICE_HEADER, ERR_INFO_INVALID_REF_MARKING);
+ }
+ kpRefMarking->sMmcoRef[iIdx].iMaxLongTermFrameIdx = iMaxLongTermFrameIdx;
} else if (kuiMmco == MMCO_RESET) {WELS_VERIFY_RETURN_IF (-1, (!bAllowMmco5 || bMmco5Exist));
bMmco5Exist = true;