prevent RAM exhaustion with some SPS strings (#184)

2025-11-03 11:11:01 +08:00 · 2023-02-06 22:18:20 +01:00
parent 82f69e94f6
commit 6deba3e454
6 changed files with 34 additions and 0 deletions
--- a/pkg/codecs/h264/sps.go
+++ b/pkg/codecs/h264/sps.go
@@ -6,6 +6,10 @@ import (
 	"github.com/aler9/gortsplib/v2/pkg/bits"
 )

+const (
+	maxRefFrames = 255
+)
+
 func readScalingList(buf []byte, pos *int, size int) ([]int32, bool, error) {
 	lastScale := int32(8)
 	nextScale := int32(8)
@@ -593,6 +597,10 @@ func (s *SPS) Unmarshal(buf []byte) error {
 			return err
 		}

+		if numRefFramesInPicOrderCntCycle > maxRefFrames {
+			return fmt.Errorf("num_ref_frames_in_pic_order_cnt_cycle exceeds %d", maxRefFrames)
+		}
+
 		s.OffsetForRefFrames = make([]int32, numRefFramesInPicOrderCntCycle)
 		for i := uint32(0); i < numRefFramesInPicOrderCntCycle; i++ {
 			v, err := bits.ReadGolombSigned(buf, &pos)
--- a/pkg/codecs/h264/testdata/fuzz/FuzzSPSUnmarshal/6842f656bc0b9621f03f7e239abd268cf254b3a983a6b7379293611f56ebe74d
+++ b/pkg/codecs/h264/testdata/fuzz/FuzzSPSUnmarshal/6842f656bc0b9621f03f7e239abd268cf254b3a983a6b7379293611f56ebe74d
@@ -0,0 +1,2 @@
+go test fuzz v1
+[]byte("00001\x17\x0000")
--- a/pkg/codecs/h265/sps.go
+++ b/pkg/codecs/h265/sps.go
@@ -7,6 +7,12 @@ import (
 	"github.com/aler9/gortsplib/v2/pkg/codecs/h264"
 )

+const (
+	maxNegativePics     = 255
+	maxPositivePics     = 255
+	maxShortTermRefPics = 64
+)
+
 var subWidthC = []uint32{
 	1,
 	2,
@@ -462,6 +468,10 @@ func (r *SPS_ShortTermRefPicSet) unmarshal(buf []byte, pos *int, stRpsIdx uint32
 		}

 		if r.NumNegativePics > 0 {
+			if r.NumNegativePics > maxNegativePics {
+				return fmt.Errorf("num_negative_pics exceeds %d", maxNegativePics)
+			}
+
 			r.DeltaPocS0Minus1 = make([]uint32, r.NumNegativePics)
 			r.UsedByCurrPicS0Flag = make([]bool, r.NumNegativePics)

@@ -479,6 +489,10 @@ func (r *SPS_ShortTermRefPicSet) unmarshal(buf []byte, pos *int, stRpsIdx uint32
 		}

 		if r.NumPositivePics > 0 {
+			if r.NumPositivePics > maxPositivePics {
+				return fmt.Errorf("num_positive_pics exceeds %d", maxPositivePics)
+			}
+
 			r.DeltaPocS1Minus1 = make([]uint32, r.NumPositivePics)
 			r.UsedByCurrPicS1Flag = make([]bool, r.NumPositivePics)

@@ -752,6 +766,10 @@ func (s *SPS) Unmarshal(buf []byte) error {
 	}

 	if numShortTermRefPicSets > 0 {
+		if numShortTermRefPicSets > maxShortTermRefPics {
+			return fmt.Errorf("num_short_term_ref_pic_sets exceeds %d", maxShortTermRefPics)
+		}
+
 		s.ShortTermRefPicSets = make([]*SPS_ShortTermRefPicSet, numShortTermRefPicSets)

 		for i := uint32(0); i < numShortTermRefPicSets; i++ {
--- a/pkg/codecs/h265/testdata/fuzz/FuzzSPSUnmarshal/05c89dc905ecc2ca9fc8fa08e0e0d56b83156fd4d8de02c03bda9a96b85679e0
+++ b/pkg/codecs/h265/testdata/fuzz/FuzzSPSUnmarshal/05c89dc905ecc2ca9fc8fa08e0e0d56b83156fd4d8de02c03bda9a96b85679e0
@@ -0,0 +1,2 @@
+go test fuzz v1
+[]byte("0000000000000000C11110010000\x00000")
--- a/pkg/codecs/h265/testdata/fuzz/FuzzSPSUnmarshal/27052827203b64be7e464d07f815b5af2a08d4e6406f173702c88b6a86862437
+++ b/pkg/codecs/h265/testdata/fuzz/FuzzSPSUnmarshal/27052827203b64be7e464d07f815b5af2a08d4e6406f173702c88b6a86862437
@@ -0,0 +1,2 @@
+go test fuzz v1
+[]byte("000000000000000\xf571707\x80\x00\x00\x00\xea\xea\xea\xea\xea\xea0")
--- a/pkg/codecs/h265/testdata/fuzz/FuzzSPSUnmarshal/653a4111f80a68c2f197f0add573756caf6da8dd8aeb7051bc88bc3e954f2901
+++ b/pkg/codecs/h265/testdata/fuzz/FuzzSPSUnmarshal/653a4111f80a68c2f197f0add573756caf6da8dd8aeb7051bc88bc3e954f2901
@@ -0,0 +1,2 @@
+go test fuzz v1
+[]byte("00000000000000070000000000000,1\x0007")