From 057f90b7cb14b6bd95f7475be17ec157397ef867 Mon Sep 17 00:00:00 2001
From: Danil Chapovalov <danilchap@webrtc.org>
Date: Fri, 17 Sep 2021 18:14:20 +0200
Subject: [PATCH] Fix integer overflow in h264 pps parser
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Bug: chromium:1250730
Change-Id: Idda8e92262af7c3190698e1fb5ba001f6de55c47
Reviewed-on: https://webrtc-review.googlesource.com/c/src/+/232327
Reviewed-by: Erik Språng <sprang@webrtc.org>
Reviewed-by: Stefan Holmer <stefan@webrtc.org>
Commit-Queue: Danil Chapovalov <danilchap@webrtc.org>
Cr-Commit-Position: refs/heads/main@{#35036}
---
 common_video/h264/pps_parser.cc                    |   8 +++++++-
 test/fuzzers/BUILD.gn                              |   1 +
 .../corpora/h264-depacketizer-fuzzer-corpus/h264-0 | Bin 0 -> 10 bytes
 3 files changed, 8 insertions(+), 1 deletion(-)
 create mode 100644 test/fuzzers/corpora/h264-depacketizer-fuzzer-corpus/h264-0

diff --git a/common_video/h264/pps_parser.cc b/common_video/h264/pps_parser.cc
index 8e52ec19cf..2fc9749e8c 100644
--- a/common_video/h264/pps_parser.cc
+++ b/common_video/h264/pps_parser.cc
@@ -11,6 +11,7 @@
 #include "common_video/h264/pps_parser.h"
 
 #include <cstdint>
+#include <limits>
 #include <vector>
 
 #include "absl/numeric/bits.h"
@@ -116,7 +117,12 @@ absl::optional<PpsParser::PpsState> PpsParser::ParseInternal(
 
       // slice_group_id: array of size pic_size_in_map_units, each element
       // is represented by ceil(log2(num_slice_groups_minus1 + 1)) bits.
-      reader.ConsumeBits(slice_group_id_bits * pic_size_in_map_units);
+      int64_t bits_to_consume =
+          int64_t{slice_group_id_bits} * pic_size_in_map_units;
+      if (!reader.Ok() || bits_to_consume > std::numeric_limits<int>::max()) {
+        return absl::nullopt;
+      }
+      reader.ConsumeBits(bits_to_consume);
     }
   }
   // num_ref_idx_l0_default_active_minus1: ue(v)
diff --git a/test/fuzzers/BUILD.gn b/test/fuzzers/BUILD.gn
index 171577aab7..27badf2d16 100644
--- a/test/fuzzers/BUILD.gn
+++ b/test/fuzzers/BUILD.gn
@@ -78,6 +78,7 @@ template("webrtc_fuzzer_test") {
 webrtc_fuzzer_test("h264_depacketizer_fuzzer") {
   sources = [ "h264_depacketizer_fuzzer.cc" ]
   deps = [ "../../modules/rtp_rtcp" ]
+  seed_corpus = "corpora/h264-depacketizer-fuzzer-corpus"
 }
 
 webrtc_fuzzer_test("vp8_depacketizer_fuzzer") {
diff --git a/test/fuzzers/corpora/h264-depacketizer-fuzzer-corpus/h264-0 b/test/fuzzers/corpora/h264-depacketizer-fuzzer-corpus/h264-0
new file mode 100644
index 0000000000000000000000000000000000000000..dbe089f27862c47bf897966739936d108e03cebc
GIT binary patch
literal 10
RcmZQzVC*QBVPIh31po&j0Vn_f

literal 0
HcmV?d00001