From 459648761f5412acdc3317d5bac982ceaa257584 Author: Niklas Haas Date: Sat Apr 6 13:11:09 2024 +0200 Subject: avcodec/hevcdec: fix segfault on invalid film grain metadata References: CVE-2024-32228 References: bsc#1227277 Upstream: Backport from upstream Invalid input files may contain film grain metadata which survives ff_h274_film_grain_params_supported() but does not pass av_film_grain_params_select(), leading to a SIGSEGV on hevc_frame_end(). Fix this by duplicating the av_film_grain_params_select() check at frame init time. An alternative solution here would be to defer the incompatibility check to hevc_frame_end(), but this has the downside of allocating a film grain buffer even when we already know we can't apply film grain. Fixes: https://trac.ffmpeg.org/ticket/10951 --- ffmpeg-7.0/libavcodec/hevcdec.c +++ ffmpeg-7.0_new/libavcodec/hevcdec.c @@ -2892,10 +2892,16 @@ !(s->avctx->export_side_data & AV_CODEC_EXPORT_DATA_FILM_GRAIN) && !s->avctx->hwaccel; + ret = set_side_data(s); + if (ret < 0) + goto fail; + if (s->ref->needs_fg && - s->sei.common.film_grain_characteristics.present && - !ff_h274_film_grain_params_supported(s->sei.common.film_grain_characteristics.model_id, - s->ref->frame->format)) { + ( s->sei.common.film_grain_characteristics.present && + !ff_h274_film_grain_params_supported(s->sei.common.film_grain_characteristics.model_id, + s->ref->frame->format)) + || !av_film_grain_params_select(s->ref->frame)) { + av_log_once(s->avctx, AV_LOG_WARNING, AV_LOG_DEBUG, &s->film_grain_warning_shown, "Unsupported film grain parameters. Ignoring film grain.\n"); s->ref->needs_fg = 0; @@ -2909,10 +2915,6 @@ goto fail; } - ret = set_side_data(s); - if (ret < 0) - goto fail; - s->frame->pict_type = 3 - s->sh.slice_type; if (!IS_IRAP(s))