Message ID | 20191217102217.4811-4-lance.lmwang@gmail.com |
---|---|
State | Superseded |
Headers | show |
On Tue, Dec 17, 2019 at 06:22:16PM +0800, lance.lmwang@gmail.com wrote: > From: Limin Wang <lance.lmwang@gmail.com> > > According to the specifications, the payloadSize includes the 16-byte size of UUID. > > Signed-off-by: Limin Wang <lance.lmwang@gmail.com> > --- > libavcodec/h264_sei.c | 7 ++++--- > 1 file changed, 4 insertions(+), 3 deletions(-) > > diff --git a/libavcodec/h264_sei.c b/libavcodec/h264_sei.c > index d4eb9c0dab..46fe8692dd 100644 > --- a/libavcodec/h264_sei.c > +++ b/libavcodec/h264_sei.c > @@ -250,14 +250,15 @@ static int decode_unregistered_user_data(H264SEIUnregistered *h, GetBitContext * > if (size < 16 || size >= INT_MAX - 16) > return AVERROR_INVALIDDATA; > > - user_data = av_malloc(16 + size + 1); > + user_data = av_malloc(size + AV_INPUT_BUFFER_PADDING_SIZE); this can overflow, the previous check still assumes 16 thx [...]
On Tue, Dec 17, 2019 at 10:42:54PM +0100, Michael Niedermayer wrote: > On Tue, Dec 17, 2019 at 06:22:16PM +0800, lance.lmwang@gmail.com wrote: > > From: Limin Wang <lance.lmwang@gmail.com> > > > > According to the specifications, the payloadSize includes the 16-byte size of UUID. > > > > Signed-off-by: Limin Wang <lance.lmwang@gmail.com> > > --- > > libavcodec/h264_sei.c | 7 ++++--- > > 1 file changed, 4 insertions(+), 3 deletions(-) > > > > diff --git a/libavcodec/h264_sei.c b/libavcodec/h264_sei.c > > index d4eb9c0dab..46fe8692dd 100644 > > --- a/libavcodec/h264_sei.c > > +++ b/libavcodec/h264_sei.c > > @@ -250,14 +250,15 @@ static int decode_unregistered_user_data(H264SEIUnregistered *h, GetBitContext * > > if (size < 16 || size >= INT_MAX - 16) > > return AVERROR_INVALIDDATA; > > > > - user_data = av_malloc(16 + size + 1); > > + user_data = av_malloc(size + AV_INPUT_BUFFER_PADDING_SIZE); > > this can overflow, the previous check still assumes 16 Will fix it > > thx > > [...] > -- > Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB > > Freedom in capitalist society always remains about the same as it was in > ancient Greek republics: Freedom for slave owners. -- Vladimir Lenin > _______________________________________________ > ffmpeg-devel mailing list > ffmpeg-devel@ffmpeg.org > https://ffmpeg.org/mailman/listinfo/ffmpeg-devel > > To unsubscribe, visit link above, or email > ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
diff --git a/libavcodec/h264_sei.c b/libavcodec/h264_sei.c index d4eb9c0dab..46fe8692dd 100644 --- a/libavcodec/h264_sei.c +++ b/libavcodec/h264_sei.c @@ -250,14 +250,15 @@ static int decode_unregistered_user_data(H264SEIUnregistered *h, GetBitContext * if (size < 16 || size >= INT_MAX - 16) return AVERROR_INVALIDDATA; - user_data = av_malloc(16 + size + 1); + user_data = av_malloc(size + AV_INPUT_BUFFER_PADDING_SIZE); if (!user_data) return AVERROR(ENOMEM); - for (i = 0; i < size + 16; i++) + for (i = 0; i < size; i++) user_data[i] = get_bits(gb, 8); - user_data[i] = 0; + memset(user_data + size, 0, AV_INPUT_BUFFER_PADDING_SIZE); + e = sscanf(user_data + 16, "x264 - core %d", &build); if (e == 1 && build > 0) h->x264_build = build;