diff options
| author | Nuo Mi <nuomi2021@gmail.com> | 2024-02-09 19:16:31 +0800 |
|---|---|---|
| committer | Nuo Mi <nuomi2021@gmail.com> | 2024-02-11 22:50:01 +0800 |
| commit | 4f8044145532276715bbbc6598868ae4a234c6ce (patch) | |
| tree | 9989376090c4bdddda7e1a712c74c5a6aec38953 | |
| parent | f7a504a0dfac5efd5e1f5bdc1c596fc798ef4c23 (diff) | |
| download | ffmpeg-4f8044145532276715bbbc6598868ae4a234c6ce.tar.gz | |
avcodec/hevc_mp4toannexb: more validations for nalu_len
For a corrupted stream, the value of nalu_len read from the extradata is not reliable.
We need to perform additional checks
| -rw-r--r-- | libavcodec/bsf/hevc_mp4toannexb.c | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/libavcodec/bsf/hevc_mp4toannexb.c b/libavcodec/bsf/hevc_mp4toannexb.c index d91229a895..8eec18f31e 100644 --- a/libavcodec/bsf/hevc_mp4toannexb.c +++ b/libavcodec/bsf/hevc_mp4toannexb.c @@ -65,9 +65,11 @@ static int hevc_extradata_to_annexb(AVBSFContext *ctx) } for (j = 0; j < cnt; j++) { - int nalu_len = bytestream2_get_be16(&gb); + const int nalu_len = bytestream2_get_be16(&gb); - if (4 + AV_INPUT_BUFFER_PADDING_SIZE + nalu_len > SIZE_MAX - new_extradata_size) { + if (!nalu_len || + nalu_len > bytestream2_get_bytes_left(&gb) || + 4 + AV_INPUT_BUFFER_PADDING_SIZE + nalu_len > SIZE_MAX - new_extradata_size) { ret = AVERROR_INVALIDDATA; goto fail; } |