[FFmpeg-cvslog] avcodec/hevc: Check entry_point_offsets

Sun, 06 Dec 2015 04:27:57 -0800 

ffmpeg | branch: release/2.4 | Michael Niedermayer <mich...@niedermayer.cc> | 
Fri Nov 27 18:30:05 2015 +0100| [961a1f73e39250e91b2f73a5a32b49a292b539ff] | 
committer: Michael Niedermayer

avcodec/hevc: Check entry_point_offsets

Fixes out of array read
Fixes: 
007c4a36608ebdf27ee260ad60a81184/asan_heap-oob_32076b4_2243_116b1cb29d91cc4974d6680e3d10bd91.bit

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc>
(cherry picked from commit ef9f7bbfa47317f9d46bf46982a394d2be78503c)

Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=961a1f73e39250e91b2f73a5a32b49a292b539ff
---

 libavcodec/hevc.c |    8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/libavcodec/hevc.c b/libavcodec/hevc.c
index fbfcb95..960573f 100644
--- a/libavcodec/hevc.c
+++ b/libavcodec/hevc.c
@@ -2409,7 +2409,7 @@ static int hls_slice_data_wpp(HEVCContext *s, const 
uint8_t *nal, int length)
     HEVCLocalContext *lc = s->HEVClc;
     int *ret = av_malloc_array(s->sh.num_entry_point_offsets + 1, sizeof(int));
     int *arg = av_malloc_array(s->sh.num_entry_point_offsets + 1, sizeof(int));
-    int offset;
+    int64_t offset;
     int startheader, cmpt = 0;
     int i, j, res = 0;
 
@@ -2450,6 +2450,11 @@ static int hls_slice_data_wpp(HEVCContext *s, const 
uint8_t *nal, int length)
     }
     if (s->sh.num_entry_point_offsets != 0) {
         offset += s->sh.entry_point_offset[s->sh.num_entry_point_offsets - 1] 
- cmpt;
+        if (length < offset) {
+            av_log(s->avctx, AV_LOG_ERROR, "entry_point_offset table is 
corrupted\n");
+            res = AVERROR_INVALIDDATA;
+            goto error;
+        }
         s->sh.size[s->sh.num_entry_point_offsets - 1] = length - offset;
         s->sh.offset[s->sh.num_entry_point_offsets - 1] = offset;
 
@@ -2476,6 +2481,7 @@ static int hls_slice_data_wpp(HEVCContext *s, const 
uint8_t *nal, int length)
 
     for (i = 0; i <= s->sh.num_entry_point_offsets; i++)
         res += ret[i];
+error:
     av_free(ret);
     av_free(arg);
     return res;

_______________________________________________
ffmpeg-cvslog mailing list
ffmpeg-cvslog@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog

Reply via email to