ffmpeg | branch: master | Nuo Mi <nuomi2...@gmail.com> | Fri Feb 9 19:16:30 2024 +0800| [f7a504a0dfac5efd5e1f5bdc1c596fc798ef4c23] | committer: Nuo Mi
avcodec/vvc_mp4toannexb: more validations for nalu_len For a corrupted stream, the value of nalu_len read from the extradata is not reliable. We need to perform additional checks Fixes: fuzzer timeout Fixes: 65253/clusterfuzz-testcase-minimized-ffmpeg_BSF_VVC_MP4TOANNEXB_fuzzer-4972412487467008 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc> Signed-off-by: Andreas Rheinhardt <andreas.rheinha...@outlook.com> > http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=f7a504a0dfac5efd5e1f5bdc1c596fc798ef4c23 --- libavcodec/bsf/vvc_mp4toannexb.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/libavcodec/bsf/vvc_mp4toannexb.c b/libavcodec/bsf/vvc_mp4toannexb.c index 25c3726918..36bdae8f49 100644 --- a/libavcodec/bsf/vvc_mp4toannexb.c +++ b/libavcodec/bsf/vvc_mp4toannexb.c @@ -155,10 +155,11 @@ static int vvc_extradata_to_annexb(AVBSFContext *ctx) } for (j = 0; j < cnt; j++) { - int nalu_len = bytestream2_get_be16(&gb); + const int nalu_len = bytestream2_get_be16(&gb); - if (4 + AV_INPUT_BUFFER_PADDING_SIZE + nalu_len > - SIZE_MAX - new_extradata_size) { + if (!nalu_len || + nalu_len > bytestream2_get_bytes_left(&gb) || + 4 + AV_INPUT_BUFFER_PADDING_SIZE + nalu_len > SIZE_MAX - new_extradata_size) { ret = AVERROR_INVALIDDATA; goto fail; } _______________________________________________ ffmpeg-cvslog mailing list ffmpeg-cvslog@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-cvslog To unsubscribe, visit link above, or email ffmpeg-cvslog-requ...@ffmpeg.org with subject "unsubscribe".
