Message ID | 20230620144042.9629-4-jamrial@gmail.com |
---|---|
State | Accepted |
Commit | d0d20f16ce4de0d814b7dac28fa18c666b7a8a85 |
Headers | show |
Series | [FFmpeg-devel,1/9] avformat/evcdec: ensure there are enough bytes to seekback | expand |
Context | Check | Description |
---|---|---|
yinshiyou/make_loongarch64 | success | Make finished |
yinshiyou/make_fate_loongarch64 | fail | Make fate failed |
andriy/make_x86 | success | Make finished |
andriy/make_fate_x86 | fail | Make fate failed |
diff --git a/libavformat/evcdec.c b/libavformat/evcdec.c index 842258d229..ef743028ae 100644 --- a/libavformat/evcdec.c +++ b/libavformat/evcdec.c @@ -181,7 +181,7 @@ fail: static int evc_read_packet(AVFormatContext *s, AVPacket *pkt) { int ret; - int32_t nalu_size; + uint32_t nalu_size; int au_end_found = 0; EVCDemuxContext *const c = s->priv_data; @@ -200,7 +200,7 @@ static int evc_read_packet(AVFormatContext *s, AVPacket *pkt) return ret; nalu_size = read_nal_unit_length((const uint8_t *)&buf, EVC_NALU_LENGTH_PREFIX_SIZE); - if (nalu_size <= 0) + if (!nalu_size || nalu_size > INT_MAX) return AVERROR_INVALIDDATA; avio_seek(s->pb, -EVC_NALU_LENGTH_PREFIX_SIZE, SEEK_CUR);
But ensure the value returned by evc_read_nal_unit_length() fits in an int. Should prevent integer overflows later in the code. Signed-off-by: James Almer <jamrial@gmail.com> --- libavformat/evcdec.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)