On Wed, Oct 18, 2023 at 03:17:41PM +0200, Andreas Rheinhardt wrote: > Michael Niedermayer: > > Fixes: index 32 out of bounds for type 'uint32_t [32]' > > Fixes: > > 63003/clusterfuzz-testcase-minimized-ffmpeg_DEMUXER_fuzzer-4685160840560640 > > > > Found-by: continuous fuzzing process > > https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg > > Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc> > > --- > > libavcodec/hevc_ps.c | 1 + > > 1 file changed, 1 insertion(+) > > > > diff --git a/libavcodec/hevc_ps.c b/libavcodec/hevc_ps.c > > index a6b64b92e3..f4365ef5b5 100644 > > --- a/libavcodec/hevc_ps.c > > +++ b/libavcodec/hevc_ps.c > > @@ -421,6 +421,7 @@ static int decode_hrd(GetBitContext *gb, int > > common_inf_present, > > if (hdr->cpb_cnt_minus1[i] > 31) { > > av_log(NULL, AV_LOG_ERROR, "nb_cpb %d invalid\n", > > hdr->cpb_cnt_minus1[i]); > > + hdr->cpb_cnt_minus1[i] = 0; > > return AVERROR_INVALIDDATA; > > } > > } > > There is a second issue here: There can be truncation during the > previous assignment, because cpb_cnt_minus1 is uint8_t. So this should > be fixed by properly checking the value and only putting it in the > parameter set after it has been validated (which also avoids having to > reset it).
ok, will apply with that thx [...] -- Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB When you are offended at any man's fault, turn to yourself and study your own failings. Then you will forget your anger. -- Epictetus
signature.asc
Description: PGP signature
_______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
