[vlc-commits] av1_unpack: check header overflow

Francois Cartegnie Tue, 27 Apr 2021 04:46:57 -0700

vlc/vlc-3.0 | branch: master | Francois Cartegnie <fcvlc...@free.fr> | Mon Apr 
12 13:39:46 2021 +0200| [86e2cdd41557664e2a13b79be4d415ccd61428ea] | committer: 
Hugo Beauzée-Luyssen


av1_unpack: check header overflow

could trigger -1 offset move

reported by Zhen Zhou of NSFOCUS Security Team

(cherry picked from commit 44200dea8c4d2767886b553a7a5887f2191de88f)
Signed-off-by: Hugo Beauzée-Luyssen <h...@beauzee.fr>

> http://git.videolan.org/gitweb.cgi/vlc/vlc-3.0.git/?a=commit;h=86e2cdd41557664e2a13b79be4d415ccd61428ea
---

 modules/demux/av1_unpack.h | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/modules/demux/av1_unpack.h b/modules/demux/av1_unpack.h
index af7f056abf..dcaaa85f34 100644
--- a/modules/demux/av1_unpack.h
+++ b/modules/demux/av1_unpack.h
@@ -55,6 +55,8 @@ static inline block_t * AV1_Unpack_Sample_ExpandSize(block_t 
*p_block)
         if(AV1_OBUHasSizeField(p_obu))
             continue;
         const uint8_t i_header = 1 + AV1_OBUHasExtensionField(p_obu);
+        if(i_header > i_obu)
+            break;
         const uint8_t i_sizelen = leb128_expected(i_obu - i_header);
         const size_t i_obu_offset = p_obu - p_block->p_buffer;
 

_______________________________________________
vlc-commits mailing list
vlc-commits@videolan.org
https://mailman.videolan.org/listinfo/vlc-commits

[vlc-commits] av1_unpack: check header overflow

Reply via email to