Willy R. Vasquez issues

Results 6 issues of


Willy R. Vasquez

Wrong Bounds Check for pic_parameter_set_id

The `pic_parameter_set_id` is a ParamSetId struct, which checks if the ID is within [0, 31]: https://github.com/dholroyd/h264-reader/blob/master/src/nal/pps.rs#L218 Valid bitstreams can have `pic_parameter_set_id`s in the range [0, 255].

Panic from 'attempt to add with overflow' in qs_y calculation

https://github.com/dholroyd/h264-reader/blob/8cae2315eee5796b297a412d388c7cf797b386da/src/nal/slice/mod.rs#L602C74-L602C74 A missing bounds check in `pps.pic_init_qs_minus26` can cause an overflow when calculating `qs_y`. Here is an input with `pps.pic_init_qs_minus26` set to `-285` and `slice_qs_delta` set to `-2147483645`: ```rust vec![0x00,...

Incorrect Parsing of Explicit Assignment Slice Groups

Currently, a `slice_group_map_type` of 6 calls [read_group_ids()](https://github.com/dholroyd/h264-reader/blob/master/src/nal/pps.rs#L127) which will use `pic_size_in_map_units_minus1` as the bit-length to read each `run_length_minus1` value, up to `num_slice_groups` times. The `pic_size_in_map_units_minus1` and `num_slice_groups` should be swapped...

Missing bounds-checks for VUI Bitstream Restriction Syntax Elements

The VUI bitstream restriction syntax elements are not bounds checked: https://github.com/dholroyd/h264-reader/blob/master/src/nal/sps.rs#L803-L812 Expected bounds, according to Annex E.2.1 of the spec: - `max_bytes_per_pic_denom`: [0, 16] - `max_bits_per_mb_denom`: [0, 16] - `log2_max_mv_length_horizontal`:...

CS Classics

As I encounter more classics, I'll recommend them here. - [ ] [Impagliazzo's Five Worlds paper](http://www.cs.ucsd.edu/users/russell/average.ps) ([intro here](https://cryptomusings.wordpress.com/2016/02/27/impagliazzos-five-worlds/))

suggestions

! operator on tainted bool automatically unwraps it

https://github.com/PLSysSec/rlbox/blob/2ffb43846498d8dbb21a4c466922599d1d697b37/code/include/rlbox.hpp#L464-L467 This should return a tainted bool.