From 459648761f5412acdc3317d5bac982ceaa257584 Author: Niklas Haas Date: Sat Apr 6 13:11:09 2024 +0200 Subject: avcodec/hevcdec: fix segfault on invalid film grain metadata References: CVE-2024-32228 References: bsc#1227277 Upstream: Backport from upstream Invalid input files may contain film grain metadata which survives ff_h274_film_grain_params_supported() but does not pass av_film_grain_params_select(), leading to a SIGSEGV on hevc_frame_end(). Fix this by duplicating the av_film_grain_params_select() check at frame init time. An alternative solution here would be to defer the incompatibility check to hevc_frame_end(), but this has the downside of allocating a film grain buffer even when we already know we can't apply film grain. Fixes: https://trac.ffmpeg.org/ticket/10951 --- ffmpeg-5.1.4/libavcodec/hevcdec.c +++ ffmpeg-5.1.4_new/libavcodec/hevcdec.c @@ -3035,12 +3035,29 @@ goto fail; } - s->ref->frame->key_frame = IS_IRAP(s); + if (IS_IRAP(s)) + s->ref->frame->flags |= AV_FRAME_FLAG_KEY; + else + s->ref->frame->flags &= ~AV_FRAME_FLAG_KEY; - s->ref->needs_fg = s->sei.film_grain_characteristics.present && + s->ref->needs_fg = (s->sei.common.film_grain_characteristics.present || + s->sei.common.aom_film_grain.enable) && !(s->avctx->export_side_data & AV_CODEC_EXPORT_DATA_FILM_GRAIN) && !s->avctx->hwaccel; + ret = set_side_data(s); + if (ret < 0) + goto fail; + + if (s->ref->needs_fg && + ( s->sei.common.film_grain_characteristics.present && + !ff_h274_film_grain_params_supported(s->sei.common.film_grain_characteristics.model_id, + s->ref->frame->format)) + || !av_film_grain_params_select(s->ref->frame)) { + av_log_once(s->avctx, AV_LOG_WARNING, AV_LOG_DEBUG, &s->film_grain_warning_shown, + "Unsupported film grain parameters. Ignoring film grain.\n"); + s->ref->needs_fg = 0; + } if (s->ref->needs_fg) { s->ref->frame_grain->format = s->ref->frame->format; s->ref->frame_grain->width = s->ref->frame->width; @@ -3049,10 +3066,6 @@ goto fail; } - ret = set_side_data(s); - if (ret < 0) - goto fail; - s->frame->pict_type = 3 - s->sh.slice_type; if (!IS_IRAP(s))