[FFmpeg-devel,2/2] lavc/hevc_mp4toannexb_bsf: warn if a NAL size would overflow the buffer

Submitted by Rodger Combs on Aug. 23, 2018, 9:37 p.m.

Details

Message ID 20180823213753.36856-2-rodger.combs@gmail.com
State New
Headers show

Commit Message

Rodger Combs Aug. 23, 2018, 9:37 p.m.
This didn't actually cause a buffer overread previously, but it could result
in the end of a NAL being filled with zeros silently.
---
 libavcodec/hevc_mp4toannexb_bsf.c | 5 +++++
 1 file changed, 5 insertions(+)

Patch hide | download patch | download mbox

diff --git a/libavcodec/hevc_mp4toannexb_bsf.c b/libavcodec/hevc_mp4toannexb_bsf.c
index fb4ea34a93..c40308f367 100644
--- a/libavcodec/hevc_mp4toannexb_bsf.c
+++ b/libavcodec/hevc_mp4toannexb_bsf.c
@@ -70,6 +70,10 @@  static int hevc_extradata_to_annexb(AVBSFContext *ctx)
 
         for (j = 0; j < cnt; j++) {
             int nalu_len = bytestream2_get_be16(&gb);
+            if (nalu_len < 1 || bytestream2_get_bytes_left(&gb) < nalu_len) {
+                av_log(ctx, AV_LOG_WARNING, "Extradata NAL ended prematurely\n");
+                goto done;
+            }
 
             if (4 + AV_INPUT_BUFFER_PADDING_SIZE + nalu_len > SIZE_MAX - new_extradata_size) {
                 ret = AVERROR_INVALIDDATA;
@@ -86,6 +90,7 @@  static int hevc_extradata_to_annexb(AVBSFContext *ctx)
         }
     }
 
+done:
     av_freep(&ctx->par_out->extradata);
     ctx->par_out->extradata      = new_extradata;
     ctx->par_out->extradata_size = new_extradata_size;