diff mbox series

[FFmpeg-devel,07/36] avcodec/vp9_superframe_split_bsf: Discard frames with size zero

Message ID 20200530160541.29517-7-andreas.rheinhardt@gmail.com
State New
Headers show
Series [FFmpeg-devel,01/36] avcodec/vp9_superframe_bsf: Check for existence of data before reading it
Related show

Checks

Context Check Description
andriy/default pending
andriy/make success Make finished
andriy/make_fate success Make fate finished

Commit Message

Andreas Rheinhardt May 30, 2020, 4:05 p.m. UTC
They are invalid in VP9. If the packet given to the bsf has a size of
zero, it would try to access pkt->data[-1] which could lead to segfaults.
And if any of the frames inside a superframe had a size of zero, the code
would either read into the next frame or into the superframe index.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
---
 libavcodec/vp9_superframe_split_bsf.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)
diff mbox series

Patch

diff --git a/libavcodec/vp9_superframe_split_bsf.c b/libavcodec/vp9_superframe_split_bsf.c
index ed0444561a..6ebecfa8ae 100644
--- a/libavcodec/vp9_superframe_split_bsf.c
+++ b/libavcodec/vp9_superframe_split_bsf.c
@@ -51,6 +51,11 @@  static int vp9_superframe_split_filter(AVBSFContext *ctx, AVPacket *out)
             return ret;
         in = s->buffer_pkt;
 
+        if (in->size <= 0) {
+            ret = AVERROR_INVALIDDATA;
+            goto fail;
+        }
+
         marker = in->data[in->size - 1];
         if ((marker & 0xe0) == 0xc0) {
             int length_size = 1 + ((marker >> 3) & 0x3);
@@ -70,7 +75,7 @@  static int vp9_superframe_split_filter(AVBSFContext *ctx, AVPacket *out)
                         frame_size |= bytestream2_get_byte(&bc) << (j * 8);
 
                     total_size += frame_size;
-                    if (frame_size < 0 || total_size > in->size - idx_size) {
+                    if (frame_size <= 0 || total_size > in->size - idx_size) {
                         av_log(ctx, AV_LOG_ERROR,
                                "Invalid frame size in a superframe: %d\n", frame_size);
                         ret = AVERROR(EINVAL);