On 22/04/2024 02:31, Michael Niedermayer wrote: > Found-by-reviewing: CID1419833 Untrusted loop bound > > Sponsored-by: Sovereign Tech Fund > Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc> > --- > libavcodec/cbs_h2645.c | 4 ++++ > 1 file changed, 4 insertions(+) > > diff --git a/libavcodec/cbs_h2645.c b/libavcodec/cbs_h2645.c > index fe2e383ff33..1a45d424bae 100644 > --- a/libavcodec/cbs_h2645.c > +++ b/libavcodec/cbs_h2645.c > @@ -709,7 +709,11 @@ static int > cbs_h2645_split_fragment(CodedBitstreamContext *ctx, > > start = bytestream2_tell(&gbc); > for(i = 0; i < num_nalus; i++) { > + if (bytestream2_get_bytes_left(&gbc) < 2) > + return AVERROR_INVALIDDATA; > size = bytestream2_get_be16(&gbc); > + if (bytestream2_get_bytes_left(&gbc) < size) > + return AVERROR_INVALIDDATA; > bytestream2_skip(&gbc, size); > } > end = bytestream2_tell(&gbc);
Seems fair. The problem looks more general with missing bounds checks in all the H.266 code around this, though? Compare with H.26[45], which have checks on all the reads - seems like H.266 should be doing that. Thanks, - Mark _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".