Skip to content

Commit

Permalink
[Decode] JPEG roubustness enhancement
Browse files Browse the repository at this point in the history 
check more syntax to avoid buffer overflow
  • Loading branch information
@shawnli2 @intel-mediadev
shawnli2 authored and intel-mediadev committed Jul 28, 2023
1 parent b6d0384 commit 55c4003
Show file tree
Hide file tree
Showing 4 changed files with 52 additions and 2 deletions.
6 changes: 6 additions & 0 deletions media_driver/linux/common/codec/ddi/media_ddi_decode_jpeg.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -87,6 +87,12 @@ VAStatus DdiDecodeJPEG::ParseSliceParams(
int32_t startIdx = m_numScans;
for (j = 0; j < numSlices; j++)
{
if (j + startIdx >= jpegNumComponent ||
slcParam[j].num_components > jpegNumComponent)
{
return VA_STATUS_ERROR_INVALID_PARAMETER;
}

for (i = 0; i < slcParam[j].num_components; i++)
{
jpegSliceParam->ScanHeader[j + startIdx].ComponentSelector[i] = slcParam[j].components[i].component_selector;
Expand Down
21 changes: 20 additions & 1 deletion ...gnostic/Xe_M/Xe_M_base/codec/hal/dec/jpeg/packet/decode_jpeg_picture_xe_m_base_packet.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -220,13 +220,20 @@ MOS_STATUS JpegDecodePicPktXe_M_Base::AddMfxQmCmd(MOS_COMMAND_BUFFER &cmdBuffer)

MHW_VDBOX_QM_PARAMS qmParams;
SetMfxQmParams(qmParams);

if (m_jpegPicParams->m_numCompInFrame > jpegNumComponent)
{
DECODE_ASSERTMESSAGE("Unsupported Component Number in JPEG Picture parameter.");
return MOS_STATUS_INVALID_PARAMETER;
}

for (uint16_t scanCount = 0; scanCount < m_jpegPicParams->m_numCompInFrame; scanCount++)
{
// Using scanCount here because the same command is used for JPEG decode and encode
uint32_t quantTableSelector = m_jpegPicParams->m_quantTableSelector[scanCount];
if (quantTableSelector >= JPEG_MAX_NUM_OF_QUANTMATRIX)
{
MEDIA_ASSERTMESSAGE("Unsupported QuantTableSelector in JPEG Picture parameter.");
DECODE_ASSERTMESSAGE("Unsupported QuantTableSelector in JPEG Picture parameter.");
return MOS_STATUS_INVALID_PARAMETER;
}
qmParams.pJpegQuantMatrix->m_jpegQMTableType[quantTableSelector] = scanCount;
Expand All @@ -245,10 +252,22 @@ MOS_STATUS JpegDecodePicPktXe_M_Base::AddMfxJpegHuffTableCmd(MOS_COMMAND_BUFFER
uint32_t dcCurHuffTblIndex[2] = {0xff, 0xff};
uint32_t acCurHuffTblIndex[2] = {0xff, 0xff};

if (m_jpegBasicFeature->m_jpegScanParams->NumScans > jpegNumComponent)
{
DECODE_ASSERTMESSAGE("Unsupported Component Number in JPEG Scan parameter.");
return MOS_STATUS_INVALID_PARAMETER;
}

for (uint16_t scanCount = 0; scanCount < m_jpegBasicFeature->m_jpegScanParams->NumScans; scanCount++)
{
// MFX_JPEG_HUFF_TABLE
uint16_t numComponents = m_jpegBasicFeature->m_jpegScanParams->ScanHeader[scanCount].NumComponents;
if (numComponents > jpegNumComponent)
{
DECODE_ASSERTMESSAGE("Unsupported Component Number in JPEG Scan parameter.");
return MOS_STATUS_INVALID_PARAMETER;
}

for (uint16_t scanComponent = 0; scanComponent < numComponents; scanComponent++)
{
// Determine which huffman table we will be writing to
Expand Down
21 changes: 20 additions & 1 deletion media_softlet/agnostic/common/codec/hal/dec/jpeg/packet/decode_jpeg_picture_packet.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -319,13 +319,20 @@ MOS_STATUS JpegDecodePicPkt::AddAllCmds_MFX_QM_STATE(PMOS_COMMAND_BUFFER cmdBuff
{
bJpegQMRotation = false;
}

if (m_jpegPicParams->m_numCompInFrame > jpegNumComponent)
{
DECODE_ASSERTMESSAGE("Unsupported Component Number in JPEG Picture parameter.");
return MOS_STATUS_INVALID_PARAMETER;
}

for (uint16_t scanCount = 0; scanCount < m_jpegPicParams->m_numCompInFrame; scanCount++)
{
// Using scanCount here because the same command is used for JPEG decode and encode
uint32_t quantTableSelector = m_jpegPicParams->m_quantTableSelector[scanCount];
if (quantTableSelector >= JPEG_MAX_NUM_OF_QUANTMATRIX)
{
MEDIA_ASSERTMESSAGE("Unsupported QuantTableSelector in JPEG Picture parameter.");
DECODE_ASSERTMESSAGE("Unsupported QuantTableSelector in JPEG Picture parameter.");
return MOS_STATUS_INVALID_PARAMETER;
}
pJpegQuantMatrix->m_jpegQMTableType[quantTableSelector] = scanCount;
Expand Down Expand Up @@ -367,10 +374,22 @@ MOS_STATUS JpegDecodePicPkt::AddAllCmds_MFX_JPEG_HUFF_TABLE_STATE(PMOS_COMMAND_B
uint32_t dcCurHuffTblIndex[2] = {0xff, 0xff};
uint32_t acCurHuffTblIndex[2] = {0xff, 0xff};

if (m_jpegBasicFeature->m_jpegScanParams->NumScans > jpegNumComponent)
{
DECODE_ASSERTMESSAGE("Unsupported Components Number in JPEG scan parameter.");
return MOS_STATUS_INVALID_PARAMETER;
}

for (uint16_t scanCount = 0; scanCount < m_jpegBasicFeature->m_jpegScanParams->NumScans; scanCount++)
{
// MFX_JPEG_HUFF_TABLE
uint16_t numComponents = m_jpegBasicFeature->m_jpegScanParams->ScanHeader[scanCount].NumComponents;
if (numComponents > jpegNumComponent)
{
DECODE_ASSERTMESSAGE("Unsupported Components Number in JPEG scan parameter.");
return MOS_STATUS_INVALID_PARAMETER;
}

for (uint16_t scanComponent = 0; scanComponent < numComponents; scanComponent++)
{
// Determine which huffman table we will be writing to
Expand Down
6 changes: 6 additions & 0 deletions media_softlet/linux/common/codec/ddi/dec/ddi_decode_jpeg_specific.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -85,6 +85,12 @@ VAStatus DdiDecodeJpeg::ParseSliceParams(
int32_t startIdx = m_numScans;
for (j = 0; j < numSlices; j++)
{
if (j + startIdx >= jpegNumComponent ||
slcParam[j].num_components > jpegNumComponent)
{
return VA_STATUS_ERROR_INVALID_PARAMETER;
}

for (i = 0; i < slcParam[j].num_components; i++)
{
jpegSliceParam->ScanHeader[j + startIdx].ComponentSelector[i] = slcParam[j].components[i].component_selector;
Expand Down

0 comments on commit 55c4003

Please sign in to comment.