@@ -51,6 +51,11 @@ static int vp9_superframe_split_filter(AVBSFContext *ctx, AVPacket *out)
return ret;
in = s->buffer_pkt;
+ if (in->size <= 0) {
+ ret = AVERROR_INVALIDDATA;
+ goto fail;
+ }
+
marker = in->data[in->size - 1];
if ((marker & 0xe0) == 0xc0) {
int length_size = 1 + ((marker >> 3) & 0x3);
@@ -70,7 +75,7 @@ static int vp9_superframe_split_filter(AVBSFContext *ctx, AVPacket *out)
frame_size |= bytestream2_get_byte(&bc) << (j * 8);
total_size += frame_size;
- if (frame_size < 0 || total_size > in->size - idx_size) {
+ if (frame_size <= 0 || total_size > in->size - idx_size) {
av_log(ctx, AV_LOG_ERROR,
"Invalid frame size in a superframe: %d\n", frame_size);
ret = AVERROR(EINVAL);
They are invalid in VP9. If the packet given to the bsf has a size of zero, it would try to access pkt->data[-1] which could lead to segfaults. And if any of the frames inside a superframe had a size of zero, the code would either read into the next frame or into the superframe index. Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com> --- libavcodec/vp9_superframe_split_bsf.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-)