Bound ULEB128-derived allocation sizes in RenderingConfig and ElementGainOffsetConfig#62
Merged
Merged
Conversation
…GainOffsetConfig `RenderingConfig::CreateFromBuffer()` and `ElementGainOffsetConfig::CreateFromBuffer()` read ULEB128 values from the bitstream and use them directly to size `std::vector` allocations with no upper bound. A crafted IAMF bitstream can set these values up to ~4 GB (max ULEB128), causing `std::bad_alloc` / OOM process termination. Add bounds checks against `kEntireObuSizeMaxTwoMegabytes` before allocation, consistent with the existing pattern in `extended_param_definition.cc` and `param_definition_base.cc`. Affected sites: - `rendering_config.cc`: `rendering_config_extension_size` → `vector(N)` - `element_gain_offset_config.cc`: `element_gain_offset_size` → `vector(N)` Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
This PR hardens IAMF OBU parsing against malicious or malformed bitstreams by bounding ULEB128-derived size fields before allocating extension byte vectors, preventing potential OOM-triggered crashes.
Changes:
- Add a
kEntireObuSizeMaxTwoMegabytesupper-bound check forrendering_config_extension_sizeinRenderingConfig::CreateFromBuffer(). - Add the same upper-bound check for
element_gain_offset_sizeinElementGainOffsetConfig::CreateFromBuffer(). - Update Bazel deps to include
:typeswhere the new constant is referenced.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| iamf/obu/rendering_config.cc | Adds a max-size guard before allocating/reading rendering config extension bytes. |
| iamf/obu/element_gain_offset_config.cc | Adds a max-size guard before allocating/reading element gain offset extension bytes; includes needed headers. |
| iamf/obu/BUILD | Adds :types dependency for element_gain_offset_config to support the new constant reference. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
kEntireObuSizeMaxTwoMegabytesbefore ULEB128-sized vector allocations inRenderingConfig::CreateFromBuffer()andElementGainOffsetConfig::CreateFromBuffer()extended_param_definition.ccandparam_definition_base.ccProblem
rendering_config_extension_sizeandelement_gain_offset_sizeare read as ULEB128 values from the bitstream and passed directly tostd::vectorconstructors with no upper bound. A 5-byte ULEB128 encoding can request up to ~4 GB, causingstd::bad_alloc→std::terminate→ process crash.Affected sites:
rendering_config.ccrendering_config_extension_size→vector<uint8_t>(N)element_gain_offset_config.ccelement_gain_offset_size→vector<uint8_t>(N)Fix
Check against the existing
kEntireObuSizeMaxTwoMegabytes(2 MB) constant before allocating, returningInvalidArgumentErrorfor oversized values. This is the same pattern used at:extended_param_definition.cc:46param_definition_base.cc:147Test plan
bazelisk test //iamf/obu/...)rendering_config_extension_size = 0x3FFFFFFFnow returns error instead of OOM crashelement_gain_offset_sizenow returns error instead of OOM crash