Properly address CVE-2011-3946 and parse bitstream as described in the spec.
CC: [email protected] Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind --- libavcodec/h264_sei.c | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/libavcodec/h264_sei.c b/libavcodec/h264_sei.c index 33230b7..641ee1d 100644 --- a/libavcodec/h264_sei.c +++ b/libavcodec/h264_sei.c @@ -222,14 +222,19 @@ int ff_h264_decode_sei(H264Context *h) int size = 0; int type = 0; int ret = 0; + int last = 0; - do - type += show_bits(&h->gb, 8); - while (get_bits(&h->gb, 8) == 255); + while (get_bits_left(&h->gb) >= 8 && + (last = get_bits(&h->gb, 8)) == 255) { + type += 255; + } + type += last; - do - size += show_bits(&h->gb, 8); - while (get_bits(&h->gb, 8) == 255); + while (get_bits_left(&h->gb) >= 8 && + (last = get_bits(&h->gb, 8)) == 255) { + size += 255; + } + size += last; if (size > get_bits_left(&h->gb) / 8) { av_log(h->avctx, AV_LOG_ERROR, "SEI type %d truncated at %d\n", -- 1.8.5.2 (Apple Git-48) _______________________________________________ libav-devel mailing list [email protected] https://lists.libav.org/mailman/listinfo/libav-devel
