From patchwork Fri Dec 6 16:03:02 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andriy Gelman X-Patchwork-Id: 16636 Return-Path: X-Original-To: patchwork@ffaux-bg.ffmpeg.org Delivered-To: patchwork@ffaux-bg.ffmpeg.org Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by ffaux.localdomain (Postfix) with ESMTP id 8D3E444B044 for ; Fri, 6 Dec 2019 18:08:48 +0200 (EET) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 7611068B5D1; Fri, 6 Dec 2019 18:08:48 +0200 (EET) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from mail-ot1-f66.google.com (mail-ot1-f66.google.com [209.85.210.66]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 0512B68B5B5 for ; Fri, 6 Dec 2019 18:08:42 +0200 (EET) Received: by mail-ot1-f66.google.com with SMTP id k14so6241197otn.4 for ; Fri, 06 Dec 2019 08:08:41 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=M6XYpH+RGmLtJZUJwYLpp/v4IdrTpvO+QDG16IuqJmY=; b=nb0OxXwpH4rLAZ8QpOsPmt3ilbnPeYNarEI5ECGk2ZbtHt6ed4ajGq2os+CZy1XVM/ Lt1gHnCEL+NNX1c4dRSI6Dl/n+BtZewFAtkZZ4JK0zSuCcoCXIqGELEFmV84rPnk4o5/ WbKsKqll32A6vpT0Hslh0gdabz0Meyq42bv4nWOHORQRGDajrajm5YYjGOII4idyDdnJ rukgoaOnPXMT+nQwFv5HxGueibrRZyr/hf1i+DtnJ/uX0tz2m7wXXlX5L1QNAsRLvoV0 qpVJ8yylEg98Yn0qsSX5s9auZIBNenOEVyfPnmqK6sM7wrZA/IbZ/+LlwRIIvTONQbkc 5k1Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=M6XYpH+RGmLtJZUJwYLpp/v4IdrTpvO+QDG16IuqJmY=; b=elPx/UneFiEWZXb8KBCxf34+VUKJTBizIfYJO73IMVExyi30e2oKcYwDaz3AWoW46l XF1gFRtoXcwOQPD3p3jJvSTjx4HncDcYXCF4+c2v4Li5bXjJabPICLWTJGwKEAi08kBc ALqL9CaDs7INWBMQ837Qii+PwYpgJi7kM/IUNdpIa+isLoZYA1Uza3+twOX2+8eryENe 7dN4F84KaBBpLQ4IMztv/KWTKubrc0i5hZR6EXotUep0sYZPoH1UdY9MgqWhlwHbqcmD yFMXAUXZNq+nvFnBx9iwd9Xv7zxmNi01Iqzoad/xGs7Xh4+++r/MRIio8bVQRH5XeNN1 XYRQ== X-Gm-Message-State: APjAAAUkbsBvJ97KFilcB4oC1QjZ7MTIoNvGnDGRoQdIxvIwkQyHZTv1 +anjIU/bjJEEU0sonlBHaScCZNWQ X-Google-Smtp-Source: APXvYqySM3ETi502UZ+tvUAsfUjTGxMoMw2ibYp7pkUTQjE42M1MJK2B/MqnDZnGfLzvYldoskxBYg== X-Received: by 2002:a9d:eea:: with SMTP id 97mr9905397otj.177.1575648196582; Fri, 06 Dec 2019 08:03:16 -0800 (PST) Received: from manj.guest.slb.com ([192.23.22.48]) by smtp.gmail.com with ESMTPSA id v20sm4836486otf.40.2019.12.06.08.03.15 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 06 Dec 2019 08:03:16 -0800 (PST) From: Andriy Gelman X-Google-Original-From: Andriy Gelman To: ffmpeg-devel@ffmpeg.org Date: Fri, 6 Dec 2019 11:03:02 -0500 Message-Id: <20191206160302.13606-1-andriy.gelman@gmail.com> X-Mailer: git-send-email 2.24.0 MIME-Version: 1.0 Subject: [FFmpeg-devel] [PATCH] lavc/cbs_h2645: Fix incorrect max size of nalu unit X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Cc: Andriy Gelman Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" From: Andriy Gelman In the worst case the startcode prefix has 4 bytes. This fixes a trigerred assertion: Assertion dp <= max_size failed at libavcodec/cbs_h2645.c:1451 Found-by:libFuzzer Signed-off-by: Andriy Gelman --- libavcodec/cbs_h2645.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/cbs_h2645.c b/libavcodec/cbs_h2645.c index 88fa0029cd6..5f71d805848 100644 --- a/libavcodec/cbs_h2645.c +++ b/libavcodec/cbs_h2645.c @@ -1395,7 +1395,7 @@ static int cbs_h2645_assemble_fragment(CodedBitstreamContext *ctx, max_size = 0; for (i = 0; i < frag->nb_units; i++) { // Start code + content with worst-case emulation prevention. - max_size += 3 + frag->units[i].data_size * 3 / 2; + max_size += 4 + frag->units[i].data_size * 3 / 2; } data = av_realloc(NULL, max_size + AV_INPUT_BUFFER_PADDING_SIZE);