From 82797adeff6830d85199fcf8195e5e2dda0c762e Mon Sep 17 00:00:00 2001
From: Dirk Farin <dirk.farin@gmail.com>
Date: Sat, 4 Nov 2023 10:46:17 +0100
Subject: [PATCH] check valid range of depth-representation SEI (ClusterFuzz
 63848)

---
 libheif/error.h | 10 ++++++++++
 libheif/hevc.cc | 29 ++++++++++++++++++++++-------
 2 files changed, 32 insertions(+), 7 deletions(-)

diff --git a/libheif/error.h b/libheif/error.h
index 75769b315e..af2af88f07 100644
--- a/libheif/error.h
+++ b/libheif/error.h
@@ -104,4 +104,14 @@ inline std::ostream& operator<<(std::ostream& ostr, const Error& err)
   return ostr;
 }
 
+
+template <typename T> class Result
+{
+public:
+  operator bool() const { return error.error_code == heif_error_Ok; }
+
+  T value;
+  Error error;
+};
+
 #endif
diff --git a/libheif/hevc.cc b/libheif/hevc.cc
index 4abbaa6c4e..4c23510a22 100644
--- a/libheif/hevc.cc
+++ b/libheif/hevc.cc
@@ -20,6 +20,7 @@
 
 #include "hevc.h"
 #include "bitstream.h"
+#include "error.h"
 
 #include <cassert>
 #include <cmath>
@@ -346,8 +347,10 @@ static double read_depth_rep_info_element(BitReader& reader)
 }
 
 
-static std::shared_ptr<SEIMessage> read_depth_representation_info(BitReader& reader)
+static Result<std::shared_ptr<SEIMessage>> read_depth_representation_info(BitReader& reader)
 {
+  Result<std::shared_ptr<SEIMessage>> result;
+
   auto msg = std::make_shared<SEIMessage_depth_representation_info>();
 
 
@@ -369,9 +372,15 @@ static std::shared_ptr<SEIMessage> read_depth_representation_info(BitReader& rea
 
   int rep_type;
   if (!reader.get_uvlc(&rep_type)) {
-    // TODO error
+    result.error = {heif_error_Invalid_input, heif_suberror_Invalid_parameter_value, "invalid depth representation type in input"};
+    return result;
+  }
+
+  if (rep_type < 0 || rep_type > 3) {
+    result.error = {heif_error_Invalid_input, heif_suberror_Invalid_parameter_value, "input depth representation type out of range"};
+    return result;
   }
-  // TODO: check rep_type range
+
   msg->depth_representation_type = (enum heif_depth_representation_type) rep_type;
 
   //printf("flags: %d %d %d %d\n",msg->has_z_near,msg->has_z_far,msg->has_d_min,msg->has_d_max);
@@ -380,7 +389,8 @@ static std::shared_ptr<SEIMessage> read_depth_representation_info(BitReader& rea
   if (msg->has_d_min || msg->has_d_max) {
     int ref_view;
     if (!reader.get_uvlc(&ref_view)) {
-      // TODO error
+      result.error = {heif_error_Invalid_input, heif_suberror_Invalid_parameter_value, "invalid disparity_reference_view in input"};
+      return result;
     }
     msg->disparity_reference_view = ref_view;
 
@@ -403,7 +413,8 @@ static std::shared_ptr<SEIMessage> read_depth_representation_info(BitReader& rea
     // TODO: load non-uniform response curve
   }
 
-  return msg;
+  result.value = msg;
+  return result;
 }
 
 
@@ -444,8 +455,12 @@ Error decode_hevc_aux_sei_messages(const std::vector<uint8_t>& data,
 
       switch (payload_id) {
         case 177: // depth_representation_info
-          std::shared_ptr<SEIMessage> sei = read_depth_representation_info(sei_reader);
-          msgs.push_back(sei);
+          Result<std::shared_ptr<SEIMessage>> seiResult = read_depth_representation_info(sei_reader);
+          if (seiResult.error) {
+            return seiResult.error;
+          }
+
+          msgs.push_back(seiResult.value);
           break;
       }
     }