ffmpeg | branch: master | Nuo Mi <[email protected]> | Fri Feb 9 19:16:30 2024 +0800| [f7a504a0dfac5efd5e1f5bdc1c596fc798ef4c23] | committer: Nuo Mi
avcodec/vvc_mp4toannexb: more validations for nalu_len For a corrupted stream, the value of nalu_len read from the extradata is not reliable. We need to perform additional checks Fixes: fuzzer timeout Fixes: 65253/clusterfuzz-testcase-minimized-ffmpeg_BSF_VVC_MP4TOANNEXB_fuzzer-4972412487467008 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <[email protected]> Signed-off-by: Andreas Rheinhardt <[email protected]> > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=f7a504a0dfac5efd5e1f5bdc1c596fc798ef4c23 --- libavcodec/bsf/vvc_mp4toannexb.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/libavcodec/bsf/vvc_mp4toannexb.c b/libavcodec/bsf/vvc_mp4toannexb.c index 25c3726918..36bdae8f49 100644 --- a/libavcodec/bsf/vvc_mp4toannexb.c +++ b/libavcodec/bsf/vvc_mp4toannexb.c @@ -155,10 +155,11 @@ static int vvc_extradata_to_annexb(AVBSFContext *ctx) } for (j = 0; j < cnt; j++) { - int nalu_len = bytestream2_get_be16(&gb); + const int nalu_len = bytestream2_get_be16(&gb); - if (4 + AV_INPUT_BUFFER_PADDING_SIZE + nalu_len > - SIZE_MAX - new_extradata_size) { + if (!nalu_len || + nalu_len > bytestream2_get_bytes_left(&gb) || + 4 + AV_INPUT_BUFFER_PADDING_SIZE + nalu_len > SIZE_MAX - new_extradata_size) { ret = AVERROR_INVALIDDATA; goto fail; } _______________________________________________ ffmpeg-cvslog mailing list [email protected] https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email [email protected] with subject "unsubscribe".
