From patchwork Tue Mar 19 00:18:22 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mark Thompson X-Patchwork-Id: 12349 Return-Path: X-Original-To: patchwork@ffaux-bg.ffmpeg.org Delivered-To: patchwork@ffaux-bg.ffmpeg.org Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by ffaux.localdomain (Postfix) with ESMTP id E1C9044786A for ; Tue, 19 Mar 2019 02:18:37 +0200 (EET) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id CEB9768A7DE; Tue, 19 Mar 2019 02:18:37 +0200 (EET) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from mail-wm1-f50.google.com (mail-wm1-f50.google.com [209.85.128.50]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 1AEEE68A7D4 for ; Tue, 19 Mar 2019 02:18:31 +0200 (EET) Received: by mail-wm1-f50.google.com with SMTP id n19so14814071wmi.1 for ; Mon, 18 Mar 2019 17:18:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jkqxz-net.20150623.gappssmtp.com; s=20150623; h=from:to:subject:date:message-id:in-reply-to:references:mime-version :content-transfer-encoding; bh=CSq/BRsmDzN3i9jUvBRO+w3mdN1kpjMU8+PopCeEoF8=; b=Kz81YMmD5eryphcdXf4dMmshlq6CrX2bcaOkUxZAwPHQCeABktmO93+oP18uD1KHxO v5+//zd7EZ1M6wRwu/Xs3uSNhEMSG8IDOq73VNkxLbO+MWscTSZxhSa2QNhmBse3RGdH eDLn3SDh60/avub2xIYP0vpSiA0ggrgenhR6KhG57hc4rgkQjwETgMp4mflYw/WJrS1G LLS+dUVN9ek5GEzk/NnDR2FU70gAw2Bl79gvLq9AopEUA8bjedTrs5c0p4COmfCV5du4 FuLgOx3Gcq9AZwbfGXFy42nB9Wpd6nX5i+KFBFbPsR8WmVmGqr7tiyLOSWIWDpT53zvC nf1g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=CSq/BRsmDzN3i9jUvBRO+w3mdN1kpjMU8+PopCeEoF8=; b=IiNPirze5Zh0IIj6O+/B+W1PFDA/4iV5uqKh9d6qwUwGyOdVPoFJagX/uMezmCKw5m 7SCe1CfDjiX9UwvlS2+Idq27K4Ks+xoXMHMP8/qcm6kDMBgu4NliNg8jOZQYcsgFGxWf XxVDE0C6KvgbuyJYT5Q1SndoHIFEow4QG4nGh8bR8EN7Lw2ZOJxKynHQjAo4Gcx3oD4N 7V5aM3y19FCyC+veLFgJTYm6janBeXC5oIZ7R2udIIJQnGxTva1Sk5ZCYYvcTKYyMbhq pWdm+Irr+LCZMSZh7WMMuEzI8mc11V7hL16O2xylvuidxjjR+YbS+5AEnV0vzrTZdYe5 fyiw== X-Gm-Message-State: APjAAAV2eF+LlGiGjY7CyqksGC3NzBNiYENdef48kOBlIZ4153G34RT0 bVloW2wrGOp5WUJ9EwJgdcnPiNaYoUU= X-Google-Smtp-Source: APXvYqx2ebGbilcWNpLUSZ1ujDsVz/p/Vgs3vebs0Gme9P/Jd5gjFOE3qgLl89kn/hnikOD9o6WdzA== X-Received: by 2002:a1c:7008:: with SMTP id l8mr1061964wmc.63.1552954710382; Mon, 18 Mar 2019 17:18:30 -0700 (PDT) Received: from rywe.jkqxz.net (cpc91242-cmbg18-2-0-cust650.5-4.cable.virginm.net. [82.8.130.139]) by smtp.gmail.com with ESMTPSA id j3sm44822046wrg.54.2019.03.18.17.18.29 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 18 Mar 2019 17:18:29 -0700 (PDT) From: Mark Thompson To: ffmpeg-devel@ffmpeg.org Date: Tue, 19 Mar 2019 00:18:22 +0000 Message-Id: <20190319001822.5476-3-sw@jkqxz.net> X-Mailer: git-send-email 2.19.2 In-Reply-To: <20190319001822.5476-1-sw@jkqxz.net> References: <20190319001822.5476-1-sw@jkqxz.net> MIME-Version: 1.0 Subject: [FFmpeg-devel] [PATCH 3/3] cbs_vp9: Validate sizes when splitting small fragments X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" --- libavcodec/cbs_vp9.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/libavcodec/cbs_vp9.c b/libavcodec/cbs_vp9.c index 237416a06f..cd046afa46 100644 --- a/libavcodec/cbs_vp9.c +++ b/libavcodec/cbs_vp9.c @@ -416,6 +416,9 @@ static int cbs_vp9_split_fragment(CodedBitstreamContext *ctx, uint8_t superframe_header; int err; + if (frag->data_size == 0) + return 0; + // Last byte in the packet. superframe_header = frag->data[frag->data_size - 1]; @@ -427,6 +430,12 @@ static int cbs_vp9_split_fragment(CodedBitstreamContext *ctx, index_size = 2 + (((superframe_header & 0x18) >> 3) + 1) * ((superframe_header & 0x07) + 1); + if (index_size > frag->data_size) { + av_log(ctx->log_ctx, AV_LOG_ERROR, "Superframe index (%" + SIZE_SPECIFIER" bytes) is larger than whole frame (%" + SIZE_SPECIFIER" bytes).\n", index_size, frag->data_size); + return AVERROR_INVALIDDATA; + } err = init_get_bits(&gbc, frag->data + frag->data_size - index_size, 8 * index_size);