diff mbox

[FFmpeg-devel,v1,4/5] avcodec/h264_sei: fix the size of user data unregistered

Message ID 20191217102217.4811-4-lance.lmwang@gmail.com
State Superseded
Headers show

Commit Message

Limin Wang Dec. 17, 2019, 10:22 a.m. UTC
From: Limin Wang <lance.lmwang@gmail.com>

According to the specifications, the payloadSize includes the 16-byte size of UUID.

Signed-off-by: Limin Wang <lance.lmwang@gmail.com>
---
 libavcodec/h264_sei.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

Comments

Michael Niedermayer Dec. 17, 2019, 9:42 p.m. UTC | #1
On Tue, Dec 17, 2019 at 06:22:16PM +0800, lance.lmwang@gmail.com wrote:
> From: Limin Wang <lance.lmwang@gmail.com>
> 
> According to the specifications, the payloadSize includes the 16-byte size of UUID.
> 
> Signed-off-by: Limin Wang <lance.lmwang@gmail.com>
> ---
>  libavcodec/h264_sei.c | 7 ++++---
>  1 file changed, 4 insertions(+), 3 deletions(-)
> 
> diff --git a/libavcodec/h264_sei.c b/libavcodec/h264_sei.c
> index d4eb9c0dab..46fe8692dd 100644
> --- a/libavcodec/h264_sei.c
> +++ b/libavcodec/h264_sei.c
> @@ -250,14 +250,15 @@ static int decode_unregistered_user_data(H264SEIUnregistered *h, GetBitContext *
>      if (size < 16 || size >= INT_MAX - 16)
>          return AVERROR_INVALIDDATA;
>  
> -    user_data = av_malloc(16 + size + 1);
> +    user_data = av_malloc(size + AV_INPUT_BUFFER_PADDING_SIZE);

this can overflow, the previous check still assumes 16

thx

[...]
Limin Wang Dec. 18, 2019, 1:02 a.m. UTC | #2
On Tue, Dec 17, 2019 at 10:42:54PM +0100, Michael Niedermayer wrote:
> On Tue, Dec 17, 2019 at 06:22:16PM +0800, lance.lmwang@gmail.com wrote:
> > From: Limin Wang <lance.lmwang@gmail.com>
> > 
> > According to the specifications, the payloadSize includes the 16-byte size of UUID.
> > 
> > Signed-off-by: Limin Wang <lance.lmwang@gmail.com>
> > ---
> >  libavcodec/h264_sei.c | 7 ++++---
> >  1 file changed, 4 insertions(+), 3 deletions(-)
> > 
> > diff --git a/libavcodec/h264_sei.c b/libavcodec/h264_sei.c
> > index d4eb9c0dab..46fe8692dd 100644
> > --- a/libavcodec/h264_sei.c
> > +++ b/libavcodec/h264_sei.c
> > @@ -250,14 +250,15 @@ static int decode_unregistered_user_data(H264SEIUnregistered *h, GetBitContext *
> >      if (size < 16 || size >= INT_MAX - 16)
> >          return AVERROR_INVALIDDATA;
> >  
> > -    user_data = av_malloc(16 + size + 1);
> > +    user_data = av_malloc(size + AV_INPUT_BUFFER_PADDING_SIZE);
> 
> this can overflow, the previous check still assumes 16

Will fix it 

> 
> thx
> 
> [...]
> -- 
> Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
> 
> Freedom in capitalist society always remains about the same as it was in
> ancient Greek republics: Freedom for slave owners. -- Vladimir Lenin



> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel@ffmpeg.org
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
> 
> To unsubscribe, visit link above, or email
> ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
diff mbox

Patch

diff --git a/libavcodec/h264_sei.c b/libavcodec/h264_sei.c
index d4eb9c0dab..46fe8692dd 100644
--- a/libavcodec/h264_sei.c
+++ b/libavcodec/h264_sei.c
@@ -250,14 +250,15 @@  static int decode_unregistered_user_data(H264SEIUnregistered *h, GetBitContext *
     if (size < 16 || size >= INT_MAX - 16)
         return AVERROR_INVALIDDATA;
 
-    user_data = av_malloc(16 + size + 1);
+    user_data = av_malloc(size + AV_INPUT_BUFFER_PADDING_SIZE);
     if (!user_data)
         return AVERROR(ENOMEM);
 
-    for (i = 0; i < size + 16; i++)
+    for (i = 0; i < size; i++)
         user_data[i] = get_bits(gb, 8);
 
-    user_data[i] = 0;
+    memset(user_data + size, 0, AV_INPUT_BUFFER_PADDING_SIZE);
+
     e = sscanf(user_data + 16, "x264 - core %d", &build);
     if (e == 1 && build > 0)
         h->x264_build = build;