Skip to content

[libopenapv] Fix signed overflow in VLC decoding#213

Open
fkyslov wants to merge 1 commit into
AcademySoftwareFoundation:mainfrom
fkyslov:fix-signed-overflow-40253925
Open

[libopenapv] Fix signed overflow in VLC decoding#213
fkyslov wants to merge 1 commit into
AcademySoftwareFoundation:mainfrom
fkyslov:fix-signed-overflow-40253925

Conversation

@fkyslov

@fkyslov fkyslov commented Jun 9, 2026

Copy link
Copy Markdown
Contributor

Add bounds checking to BSW_FLUSH_4BYTE and BSW_FLUSH_8BYTE macros in oapv_vlc.c to prevent writing past the end of the bitstream buffer during VLC encoding.

Add bounds checking in enc_frame in oapv.c to ensure the cumulative tile bitstream size does not exceed the target bitstream buffer end before copying tile bitstreams.

Change-Id: Ib40bc500096b6fda93e5802d97b306e4320ba6eb

Add bounds checks to prevent signed integer overflow during VLC decoding.

1. In dec_vlc_read_1bit_read, limit the number of leading zeros (k)
   to < 30 to prevent overflow when calculating symbol and suffix.
2. In dec_vlc_read, limit k to < 31 in the exp-golomb loop to prevent
   signed overflow in the shift operation (1 << k).
3. Update KPARAM_AC macro in oapv_vlc.h to use oapv_clip3 instead of
   oapv_min, ensuring the returned parameter is always >= 0.

This prevents a crash in media.swcodec when processing malformed
bitstreams with excessive zeros.

Bug: 495077878
Test: manual verification with stagefright and PoC
Flag: EXEMPT BUGFIX
Change-Id: Ia44c26d6a012681d94873bb1bcd372008c8b5bda
@fkyslov

fkyslov commented Jun 9, 2026

Copy link
Copy Markdown
Contributor Author

@kpchoi please review

Comment thread src/oapv_vlc.c
}
}

oapv_assert_rv(k < 32, -1); /* prevent too large (impossible) k value */

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This code can support similar assert operation without significant performance drop.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you please elaborate? assert is needed to prevent more than 30 leading zeroes to be read as reading more than 30 zeroes would lead to overflow.

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One conditional brach in VLC code leads significant performance drop. and already the assert is outside of the loop.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, there is an assert outside the loop, but the value of "k" is increasing inside the loop. There will be a performance drop, correct, please recommend a better approach.

Comment thread src/oapv_vlc.h

#define KPARAM_DC(level) oapv_min((level)>>1, OAPV_KPARAM_DC_MAX)
#define KPARAM_AC(level) oapv_min((level)>>2, OAPV_KPARAM_AC_MAX)
#define KPARAM_AC(level) oapv_clip3(OAPV_KPARAM_AC_MIN, OAPV_KPARAM_AC_MAX, (level)>>2)

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Level is always positive and monotonically increasing. Camparing with min value is not required.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unless it overflows. This code prevents crash (because of MIN_INT) in case of (unintended overflow)

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It is difficult to understand why it can prevent crash. as I mentioned, level is always positive. and it is limited to some value.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants