From 8db8824536f01dd4ccb29f68a645b99f63bb267f Mon Sep 17 00:00:00 2001
From: qwu16 <qiujiao.wu@intel.com>
Date: Tue, 26 Sep 2023 14:23:52 +0800
Subject: [PATCH] Fix use-of-uninitialized-value and integer-overflow issues
 reported by chromium fuzz testing
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Bug: chromium:1485906,chromium:1486414
Change-Id: Ia976926fb08405c1cb03bbcfde07d2076bd6f4c2
Reviewed-on: https://webrtc-review.googlesource.com/c/src/+/321545
Reviewed-by: Erik Språng <sprang@google.com>
Reviewed-by: Sergey Silkin <ssilkin@webrtc.org>
Commit-Queue: Sergey Silkin <ssilkin@webrtc.org>
Reviewed-by: Erik Språng <sprang@webrtc.org>
Cr-Commit-Position: refs/heads/main@{#40861}
---
 common_video/h265/h265_bitstream_parser.cc |  5 ++--
 common_video/h265/h265_common.h            |  6 ++---
 common_video/h265/h265_sps_parser.cc       | 28 ++++++++++----------
 common_video/h265/h265_sps_parser.h        | 30 +++++++++++-----------
 4 files changed, 33 insertions(+), 36 deletions(-)

diff --git a/common_video/h265/h265_bitstream_parser.cc b/common_video/h265/h265_bitstream_parser.cc
index ee77166705..1093add102 100644
--- a/common_video/h265/h265_bitstream_parser.cc
+++ b/common_video/h265/h265_bitstream_parser.cc
@@ -138,8 +138,7 @@ H265BitstreamParser::Result H265BitstreamParser::ParseNonParameterSetNalu(
       slice_reader.ConsumeBits(1);
     }
     // slice_type: ue(v)
-    uint32_t slice_type = 0;
-    slice_type = slice_reader.ReadExponentialGolomb();
+    uint32_t slice_type = slice_reader.ReadExponentialGolomb();
     IN_RANGE_OR_RETURN(slice_type, 0, 2);
     if (pps->output_flag_present_flag) {
       // pic_output_flag: u(1)
@@ -274,7 +273,7 @@ H265BitstreamParser::Result H265BitstreamParser::ParseNonParameterSetNalu(
       }
 
       uint32_t num_pic_total_curr = 0;
-      uint32_t curr_sps_idx;
+      uint32_t curr_sps_idx = 0;
       if (short_term_ref_pic_set_sps_flag) {
         curr_sps_idx = short_term_ref_pic_set_idx;
       } else {
diff --git a/common_video/h265/h265_common.h b/common_video/h265/h265_common.h
index 1a76077b34..fcb97815ff 100644
--- a/common_video/h265/h265_common.h
+++ b/common_video/h265/h265_common.h
@@ -64,11 +64,11 @@ enum SliceType : uint8_t { kB = 0, kP = 1, kI = 2 };
 
 struct NaluIndex {
   // Start index of NALU, including start sequence.
-  size_t start_offset;
+  size_t start_offset = 0;
   // Start index of NALU payload, typically type header.
-  size_t payload_start_offset;
+  size_t payload_start_offset = 0;
   // Length of NALU payload, in bytes, counting from payload_start_offset.
-  size_t payload_size;
+  size_t payload_size = 0;
 };
 
 // Returns a vector of the NALU indices in the given buffer.
diff --git a/common_video/h265/h265_sps_parser.cc b/common_video/h265/h265_sps_parser.cc
index 96aee7c569..a2da4b9b7b 100644
--- a/common_video/h265/h265_sps_parser.cc
+++ b/common_video/h265/h265_sps_parser.cc
@@ -111,7 +111,7 @@ absl::optional<H265SpsParser::SpsState> H265SpsParser::ParseSps(
 }
 
 bool H265SpsParser::ParseScalingListData(BitstreamReader& reader) {
-  int32_t scaling_list_dc_coef_minus8[kMaxNumSizeIds][kMaxNumMatrixIds];
+  int32_t scaling_list_dc_coef_minus8[kMaxNumSizeIds][kMaxNumMatrixIds] = {};
   for (int size_id = 0; size_id < kMaxNumSizeIds; size_id++) {
     for (int matrix_id = 0; matrix_id < kMaxNumMatrixIds;
          matrix_id += (size_id == 3) ? 3 : 1) {
@@ -182,8 +182,8 @@ H265SpsParser::ParseShortTermRefPicSet(
         short_term_ref_pic_set[ref_rps_idx].num_delta_pocs;
     IN_RANGE_OR_RETURN_NULL(num_delta_pocs, 0, kMaxShortTermRefPicSets);
     const ShortTermRefPicSet& ref_set = short_term_ref_pic_set[ref_rps_idx];
-    bool used_by_curr_pic_flag[kMaxShortTermRefPicSets];
-    bool use_delta_flag[kMaxShortTermRefPicSets];
+    bool used_by_curr_pic_flag[kMaxShortTermRefPicSets] = {};
+    bool use_delta_flag[kMaxShortTermRefPicSets] = {};
     // 7.4.8 - use_delta_flag defaults to 1 if not present.
     std::fill_n(use_delta_flag, kMaxShortTermRefPicSets, true);
 
@@ -266,7 +266,7 @@ H265SpsParser::ParseShortTermRefPicSet(
 
     for (uint32_t i = 0; i < st_ref_pic_set.num_negative_pics; i++) {
       // delta_poc_s0_minus1: ue(v)
-      int delta_poc_s0_minus1;
+      int delta_poc_s0_minus1 = 0;
       delta_poc_s0_minus1 = reader.ReadExponentialGolomb();
       IN_RANGE_OR_RETURN_NULL(delta_poc_s0_minus1, 0, 0x7FFF);
       if (i == 0) {
@@ -281,7 +281,7 @@ H265SpsParser::ParseShortTermRefPicSet(
 
     for (uint32_t i = 0; i < st_ref_pic_set.num_positive_pics; i++) {
       // delta_poc_s1_minus1: ue(v)
-      int delta_poc_s1_minus1;
+      int delta_poc_s1_minus1 = 0;
       delta_poc_s1_minus1 = reader.ReadExponentialGolomb();
       IN_RANGE_OR_RETURN_NULL(delta_poc_s1_minus1, 0, 0x7FFF);
       if (i == 0) {
@@ -319,10 +319,8 @@ H265SpsParser::ParseProfileTierLevel(bool profile_present,
     reader.ConsumeBits(1);
     pf_tier_level.general_profile_idc = reader.ReadBits(5);
     IN_RANGE_OR_RETURN_NULL(pf_tier_level.general_profile_idc, 0, 11);
-    uint16_t general_profile_compatibility_flag_high16;
-    uint16_t general_profile_compatibility_flag_low16;
-    general_profile_compatibility_flag_high16 = reader.ReadBits(16);
-    general_profile_compatibility_flag_low16 = reader.ReadBits(16);
+    uint16_t general_profile_compatibility_flag_high16 = reader.ReadBits(16);
+    uint16_t general_profile_compatibility_flag_low16 = reader.ReadBits(16);
     pf_tier_level.general_profile_compatibility_flags =
         (general_profile_compatibility_flag_high16 << 16) +
         general_profile_compatibility_flag_low16;
@@ -344,8 +342,8 @@ H265SpsParser::ParseProfileTierLevel(bool profile_present,
     reader.ConsumeBits(1);
   }
   pf_tier_level.general_level_idc = reader.ReadBits(8);
-  bool sub_layer_profile_present_flag[8];
-  bool sub_layer_level_present_flag[8];
+  bool sub_layer_profile_present_flag[8] = {};
+  bool sub_layer_level_present_flag[8] = {};
   for (int i = 0; i < max_num_sub_layers_minus1; ++i) {
     sub_layer_profile_present_flag[i] = reader.ReadBits(1);
     sub_layer_level_present_flag[i] = reader.ReadBits(1);
@@ -443,7 +441,7 @@ absl::optional<H265SpsParser::SpsState> H265SpsParser::ParseSpsInternal(
 
   // Equation A-2: Calculate max_dpb_size.
   uint32_t max_luma_ps = GetMaxLumaPs(profile_tier_level->general_level_idc);
-  uint32_t max_dpb_size;
+  uint32_t max_dpb_size = 0;
   uint32_t pic_size_in_samples_y = pic_height_in_luma_samples;
   pic_size_in_samples_y *= pic_width_in_luma_samples;
   size_t max_dpb_pic_buf =
@@ -503,7 +501,7 @@ absl::optional<H265SpsParser::SpsState> H265SpsParser::ParseSpsInternal(
   uint32_t sps_sub_layer_ordering_info_present_flag = 0;
   // sps_sub_layer_ordering_info_present_flag: u(1)
   sps_sub_layer_ordering_info_present_flag = reader.Read<bool>();
-  uint32_t sps_max_num_reorder_pics[kMaxSubLayers];
+  uint32_t sps_max_num_reorder_pics[kMaxSubLayers] = {};
   for (uint32_t i = (sps_sub_layer_ordering_info_present_flag != 0)
                         ? 0
                         : sps_max_sub_layers_minus1;
@@ -552,8 +550,8 @@ absl::optional<H265SpsParser::SpsState> H265SpsParser::ParseSpsInternal(
   // log2_min_luma_transform_block_size_minus2: ue(v)
   int log2_min_luma_transform_block_size_minus2 =
       reader.ReadExponentialGolomb();
-  TRUE_OR_RETURN(log2_min_luma_transform_block_size_minus2 <
-                 min_cb_log2_size_y - 2);
+  IN_RANGE_OR_RETURN_NULL(log2_min_luma_transform_block_size_minus2, 0,
+                          min_cb_log2_size_y - 3);
   int min_tb_log2_size_y = log2_min_luma_transform_block_size_minus2 + 2;
   // log2_diff_max_min_luma_transform_block_size: ue(v)
   int log2_diff_max_min_luma_transform_block_size =
diff --git a/common_video/h265/h265_sps_parser.h b/common_video/h265/h265_sps_parser.h
index 2dece2b722..854c0f29eb 100644
--- a/common_video/h265/h265_sps_parser.h
+++ b/common_video/h265/h265_sps_parser.h
@@ -47,29 +47,29 @@ class H265SpsParser {
   struct ProfileTierLevel {
     ProfileTierLevel();
     // Syntax elements.
-    int general_profile_idc;
-    int general_level_idc;  // 30x the actual level.
-    uint32_t general_profile_compatibility_flags;
-    bool general_progressive_source_flag;
-    bool general_interlaced_source_flag;
-    bool general_non_packed_constraint_flag;
-    bool general_frame_only_constraint_flag;
-    bool general_one_picture_only_constraint_flag;
+    int general_profile_idc = 0;
+    int general_level_idc = 0;  // 30x the actual level.
+    uint32_t general_profile_compatibility_flags = 0;
+    bool general_progressive_source_flag = false;
+    bool general_interlaced_source_flag = false;
+    bool general_non_packed_constraint_flag = false;
+    bool general_frame_only_constraint_flag = false;
+    bool general_one_picture_only_constraint_flag = false;
   };
 
   struct ShortTermRefPicSet {
     ShortTermRefPicSet();
 
     // Syntax elements.
-    uint32_t num_negative_pics;
-    uint32_t num_positive_pics;
-    uint32_t delta_poc_s0[kMaxShortTermRefPicSets];
-    uint32_t used_by_curr_pic_s0[kMaxShortTermRefPicSets];
-    uint32_t delta_poc_s1[kMaxShortTermRefPicSets];
-    uint32_t used_by_curr_pic_s1[kMaxShortTermRefPicSets];
+    uint32_t num_negative_pics = 0;
+    uint32_t num_positive_pics = 0;
+    uint32_t delta_poc_s0[kMaxShortTermRefPicSets] = {};
+    uint32_t used_by_curr_pic_s0[kMaxShortTermRefPicSets] = {};
+    uint32_t delta_poc_s1[kMaxShortTermRefPicSets] = {};
+    uint32_t used_by_curr_pic_s1[kMaxShortTermRefPicSets] = {};
 
     // Calculated fields.
-    uint32_t num_delta_pocs;
+    uint32_t num_delta_pocs = 0;
   };
 
   // The parsed state of the SPS. Only some select values are stored.