fix[h2645d_sei]: fix read byte overflow error

Change-Id: I0ec0e37ee3c737ea0d05af1be5a9380eb10c02cd Signed-off-by: xueman.ruan <xueman.ruan@rock-chips.com>
2025-10-07 01:52:46 +08:00 · 2024-09-29 17:39:22 +08:00
parent bbe1a74bde
commit 24e69673a4
2 changed files with 37 additions and 0 deletions
--- a/mpp/codec/dec/h264/h264d_sei.c
+++ b/mpp/codec/dec/h264/h264d_sei.c
@@ -17,6 +17,7 @@

 #define MODULE_TAG  "h264d_sei"

+#include <limits.h>
 #include <stdio.h>
 #include <string.h>

@@ -249,6 +250,12 @@ MPP_RET process_sei(H264_SLICE_t *currSlice)
        tmp_byte = 0xFF;
        sei_msg->type = 0;
        while (tmp_byte == 0xFF) {
+            if (p_bitctx->bytes_left_ < 2 || sei_msg->type > INT_MAX - 255) {
+                mpp_err("parse payload_type error: byte_left %d payload_type %d\n",
+                        p_bitctx->bytes_left_, sei_msg->type);
+                return MPP_ERR_STREAM;
+            }
+
            READ_BITS(p_bitctx, 8, &tmp_byte);
            sei_msg->type += tmp_byte;
        }
@@ -256,10 +263,22 @@ MPP_RET process_sei(H264_SLICE_t *currSlice)
        tmp_byte = 0xFF;
        sei_msg->payload_size = 0;
        while (tmp_byte == 0xFF) {
+            if ((RK_S32)p_bitctx->bytes_left_ < sei_msg->payload_size + 1) {
+                mpp_err("parse payload_size error: byte_left %d payload_size %d\n",
+                        p_bitctx->bytes_left_, sei_msg->payload_size + 1);
+                return MPP_ERR_STREAM;
+            }
+
            READ_BITS(p_bitctx, 8, &tmp_byte);
            sei_msg->payload_size += tmp_byte;
        }

+        if ((RK_S32)p_bitctx->bytes_left_ < sei_msg->payload_size) {
+            mpp_err("parse payload_size error: byte_left %d payload_size %d\n",
+                    p_bitctx->bytes_left_, sei_msg->payload_size);
+            return MPP_ERR_STREAM;
+        }
+
        H264D_DBG(H264D_DBG_SEI, "SEI type %d, payload size: %d\n", sei_msg->type, sei_msg->payload_size);

        memset(&payload_bitctx, 0, sizeof(payload_bitctx));
--- a/mpp/codec/dec/h265/h265d_sei.c
+++ b/mpp/codec/dec/h265/h265d_sei.c
@@ -422,15 +422,33 @@ MPP_RET mpp_hevc_decode_nal_sei(HEVCContext *s)
        payload_size = 0;
        byte = 0xFF;
        while (byte == 0xFF) {
+            if (gb->bytes_left_ < 2 || payload_type > INT_MAX - 255) {
+                mpp_err("parse payload_type error: byte_left %d payload_type %d\n",
+                        gb->bytes_left_, payload_type);
+                return MPP_ERR_STREAM;
+            }
+
            READ_BITS(gb, 8, &byte);
            payload_type += byte;
        }
        byte = 0xFF;
        while (byte == 0xFF) {
+            if ((RK_S32)gb->bytes_left_ < payload_size + 1) {
+                mpp_err("parse payload_size error: byte_left %d payload_size %d\n",
+                        gb->bytes_left_, payload_size + 1);
+                return MPP_ERR_STREAM;
+            }
+
            READ_BITS(gb, 8, &byte);
            payload_size += byte;
        }

+        if ((RK_S32)gb->bytes_left_ < payload_size) {
+            mpp_err("parse payload_size error: byte_left %d payload_size %d\n",
+                    gb->bytes_left_, payload_size);
+            return MPP_ERR_STREAM;
+        }
+
        memset(&payload_bitctx, 0, sizeof(payload_bitctx));
        mpp_set_bitread_ctx(&payload_bitctx, s->HEVClc->gb.data_, payload_size);
        mpp_set_bitread_pseudo_code_type(&payload_bitctx, PSEUDO_CODE_H264_H265_SEI);