diff options
| author | Frank Plowman <post@frankplowman.com> | 2024-04-09 07:55:11 +0000 |
|---|---|---|
| committer | Nuo Mi <nuomi2021@gmail.com> | 2024-04-09 22:30:18 +0800 |
| commit | fcf74c5ebc520a53758eb410003fc8e814873053 (patch) | |
| tree | fa2ec2696229883d106b0918057139c02d365b30 /libavcodec/vvc | |
| parent | f499503073804e55540cad13743849a791449a98 (diff) | |
| download | ffmpeg-fcf74c5ebc520a53758eb410003fc8e814873053.tar.gz | |
lavc/vvc: Fix buffer overread in CABAC
The size variable here is taken as gospel for the bounds of the input
buffer in later logic. Clamp it to ensure that the returned region
does not extend past that allocated in the underlying GetBitContext,
even in the case entry point offsets are signalled in the bitstream.
Also assert this for good measure.
Signed-off-by: Frank Plowman <post@frankplowman.com>
Diffstat (limited to 'libavcodec/vvc')
| -rw-r--r-- | libavcodec/vvc/dec.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/libavcodec/vvc/dec.c b/libavcodec/vvc/dec.c index 27ffbb741d..a4fc40b40a 100644 --- a/libavcodec/vvc/dec.c +++ b/libavcodec/vvc/dec.c @@ -497,9 +497,11 @@ static void ep_init_cabac_decoder(SliceContext *sc, const int index, skipped++; } size = end - start; + size = av_clip(size, 0, get_bits_left(gb) / 8); } else { size = get_bits_left(gb) / 8; } + av_assert0(gb->buffer + get_bits_count(gb) / 8 + size <= gb->buffer_end); ff_init_cabac_decoder (&ep->cc, gb->buffer + get_bits_count(gb) / 8, size); skip_bits(gb, size * 8); } |