avformat/mpegts: use a padded buffer in read_sl_header()

Fixes overread
Fixes: asan_heap-oob_84f75d_8_asan_heap-oob_a2a00a_341_mbc.ts

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 27f6da292118850ca7900de64d06b56e0ebb5070)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

1 files changed, 5 insertions, 1 deletions

diff --git a/libavformat/mpegts.c b/libavformat/mpegts.c
index a6b966b779..88082692b1 100644
--- a/libavformat/mpegts.c
+++ b/libavformat/mpegts.c
@@ -858,8 +858,12 @@ static int read_sl_header(PESContext *pes, SLConfigDescr *sl,
     int padding_flag = 0, padding_bits = 0, inst_bitrate_flag = 0;
     int dts_flag = -1, cts_flag = -1;
     int64_t dts = AV_NOPTS_VALUE, cts = AV_NOPTS_VALUE;
+    uint8_t buf_padded[128 + FF_INPUT_BUFFER_PADDING_SIZE];
+    int buf_padded_size = FFMIN(buf_size, sizeof(buf_padded) - FF_INPUT_BUFFER_PADDING_SIZE);
 
-    init_get_bits(&gb, buf, buf_size * 8);
+    memcpy(buf_padded, buf, buf_padded_size);
+
+    init_get_bits(&gb, buf_padded, buf_padded_size * 8);
 
     if (sl->use_au_start)
         au_start_flag = get_bits1(&gb);