On Tue, Dec 17, 2019 at 06:22:16PM +0800, lance.lmw...@gmail.com wrote: > From: Limin Wang <lance.lmw...@gmail.com> > > According to the specifications, the payloadSize includes the 16-byte size of > UUID. > > Signed-off-by: Limin Wang <lance.lmw...@gmail.com> > --- > libavcodec/h264_sei.c | 7 ++++--- > 1 file changed, 4 insertions(+), 3 deletions(-) > > diff --git a/libavcodec/h264_sei.c b/libavcodec/h264_sei.c > index d4eb9c0dab..46fe8692dd 100644 > --- a/libavcodec/h264_sei.c > +++ b/libavcodec/h264_sei.c > @@ -250,14 +250,15 @@ static int > decode_unregistered_user_data(H264SEIUnregistered *h, GetBitContext * > if (size < 16 || size >= INT_MAX - 16) > return AVERROR_INVALIDDATA; > > - user_data = av_malloc(16 + size + 1); > + user_data = av_malloc(size + AV_INPUT_BUFFER_PADDING_SIZE);
this can overflow, the previous check still assumes 16 thx [...] -- Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB Freedom in capitalist society always remains about the same as it was in ancient Greek republics: Freedom for slave owners. -- Vladimir Lenin
signature.asc
Description: PGP signature
_______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".