avcodec/cbs: Fix potential overflow

The number of bits in a PutBitContext must fit into an int, yet nothing guaranteed the size argument cbs_write_unit_data() uses in init_put_bits() to be in the range 0..INT_MAX / 8. This has been changed. Furthermore, the check 8 * data_size > data_bit_start that there is data beyond the initial padding when writing mpeg2 or H.264/5 slices could also overflow, so divide it by 8 to get an equivalent check without this problem. Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
author: Andreas Rheinhardt <andreas.rheinhardt@gmail.com> 2019-11-17 08:34:36 +0100
committer: Mark Thompson <sw@jkqxz.net> 2019-11-17 23:31:45 +0000
commit: cda3e8ca04c0e343f5b60fda8fb467936e176f33 (patch)
tree: c5982250e6354efee8023ae2776582d20d37c866 /libavcodec/cbs.c
parent: 7c92eaace2b338e0b3acc18e1543b365610578fd (diff)
download: ffmpeg-cda3e8ca04c0e343f5b60fda8fb467936e176f33.tar.gz
1 files changed, 3 insertions, 1 deletions
diff --git a/libavcodec/cbs.c b/libavcodec/cbs.c
index ab3eadb534..0badb192d9 100644
--- a/libavcodec/cbs.c
+++ b/libavcodec/cbs.c
@@ -309,7 +309,9 @@ static int cbs_write_unit_data(CodedBitstreamContext *ctx,
     if (ret < 0) {
         if (ret == AVERROR(ENOSPC)) {
             // Overflow.
-            ctx->write_buffer_size *= 2;
+            if (ctx->write_buffer_size == INT_MAX / 8)
+                return AVERROR(ENOMEM);
+            ctx->write_buffer_size = FFMIN(2 * ctx->write_buffer_size, INT_MAX / 8);
             goto reallocate_and_try_again;
         }
         // Write failed for some other reason.
author	Andreas Rheinhardt <andreas.rheinhardt@gmail.com>	2019-11-17 08:34:36 +0100
committer	Mark Thompson <sw@jkqxz.net>	2019-11-17 23:31:45 +0000
commit	cda3e8ca04c0e343f5b60fda8fb467936e176f33 (patch)
tree	c5982250e6354efee8023ae2776582d20d37c866 /libavcodec/cbs.c
parent	7c92eaace2b338e0b3acc18e1543b365610578fd (diff)
download	ffmpeg-cda3e8ca04c0e343f5b60fda8fb467936e176f33.tar.gz