Message ID | KL1PR06MB642639BF0652FE74BD52A759AA4B2@KL1PR06MB6426.apcprd06.prod.outlook.com |
---|---|
State | Accepted |
Commit | 4f8044145532276715bbbc6598868ae4a234c6ce |
Headers | show |
Series | [FFmpeg-devel,v2,1/2] avcodec/vvc_mp4toannexb: check bytes left for nalu_len | expand |
Context | Check | Description |
---|---|---|
yinshiyou/make_loongarch64 | success | Make finished |
yinshiyou/make_fate_loongarch64 | success | Make fate finished |
andriy/make_x86 | success | Make finished |
andriy/make_fate_x86 | success | Make fate finished |
On Fri, 9 Feb 2024, Nuo Mi wrote: > similar issue as in the previous commit > --- > libavcodec/bsf/hevc_mp4toannexb.c | 6 ++++-- > 1 file changed, 4 insertions(+), 2 deletions(-) Keep in mind, that while the patches are posted together, they can end up at different places further in review, and in commits, so the commit messages should ideally be understandable standalone. // Martin
On Fri, Feb 9, 2024 at 7:47 PM Martin Storsjö <martin@martin.st> wrote: > On Fri, 9 Feb 2024, Nuo Mi wrote: > > > similar issue as in the previous commit > > --- > > libavcodec/bsf/hevc_mp4toannexb.c | 6 ++++-- > > 1 file changed, 4 insertions(+), 2 deletions(-) > > Keep in mind, that while the patches are posted together, they can end up > at different places further in review, and in commits, so the commit > messages should ideally be understandable standalone. > Hi Martin Thank you for the reminder. Will do > > // Martin > >
diff --git a/libavcodec/bsf/hevc_mp4toannexb.c b/libavcodec/bsf/hevc_mp4toannexb.c index d91229a895..8eec18f31e 100644 --- a/libavcodec/bsf/hevc_mp4toannexb.c +++ b/libavcodec/bsf/hevc_mp4toannexb.c @@ -65,9 +65,11 @@ static int hevc_extradata_to_annexb(AVBSFContext *ctx) } for (j = 0; j < cnt; j++) { - int nalu_len = bytestream2_get_be16(&gb); + const int nalu_len = bytestream2_get_be16(&gb); - if (4 + AV_INPUT_BUFFER_PADDING_SIZE + nalu_len > SIZE_MAX - new_extradata_size) { + if (!nalu_len || + nalu_len > bytestream2_get_bytes_left(&gb) || + 4 + AV_INPUT_BUFFER_PADDING_SIZE + nalu_len > SIZE_MAX - new_extradata_size) { ret = AVERROR_INVALIDDATA; goto fail; }