diff options
author | Michael Niedermayer <michael@niedermayer.cc> | 2017-12-15 17:50:12 +0100 |
---|---|---|
committer | Michael Niedermayer <michael@niedermayer.cc> | 2017-12-30 21:11:32 +0100 |
commit | bdba0f6786d57356c2ead515338fb44754aa91c4 (patch) | |
tree | 7fb63acc976086b8692c945277368682e889688e | |
parent | badca11741ea9bd0b4aa1b3af69f38754d4c69e0 (diff) | |
download | ffmpeg-bdba0f6786d57356c2ead515338fb44754aa91c4.tar.gz |
avcodec/hevc_sei: Fix integer overflows in decode_nal_sei_message()
Fixes: signed integer overflow: 2147483520 + 255 cannot be represented in type 'int'
Fixes: 4554/clusterfuzz-testcase-minimized-4843714515042304
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 991ef6e5b9a6a9d95e274ff6bff52db1c82b3808)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
-rw-r--r-- | libavcodec/hevc_sei.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/libavcodec/hevc_sei.c b/libavcodec/hevc_sei.c index d4a82fd456..31813aae2c 100644 --- a/libavcodec/hevc_sei.c +++ b/libavcodec/hevc_sei.c @@ -344,11 +344,15 @@ static int decode_nal_sei_message(HEVCContext *s) av_log(s->avctx, AV_LOG_DEBUG, "Decoding SEI\n"); while (byte == 0xFF) { + if (get_bits_left(gb) < 16 || payload_type > INT_MAX - 255) + return AVERROR_INVALIDDATA; byte = get_bits(gb, 8); payload_type += byte; } byte = 0xFF; while (byte == 0xFF) { + if (get_bits_left(gb) < 8 + 8LL*payload_size) + return AVERROR_INVALIDDATA; byte = get_bits(gb, 8); payload_size += byte; } |