On 22/04/2024 02:31, Michael Niedermayer wrote:
> Found-by-reviewing: CID1419833 Untrusted loop bound
>
> Sponsored-by: Sovereign Tech Fund
> Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc>
> ---
> libavcodec/cbs_h2645.c | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/libavcodec/cbs_h2645.c b/libavcodec/cbs_h2645.c
> index fe2e383ff33..1a45d424bae 100644
> --- a/libavcodec/cbs_h2645.c
> +++ b/libavcodec/cbs_h2645.c
> @@ -709,7 +709,11 @@ static int
> cbs_h2645_split_fragment(CodedBitstreamContext *ctx,
>
> start = bytestream2_tell(&gbc);
> for(i = 0; i < num_nalus; i++) {
> + if (bytestream2_get_bytes_left(&gbc) < 2)
> + return AVERROR_INVALIDDATA;
> size = bytestream2_get_be16(&gbc);
> + if (bytestream2_get_bytes_left(&gbc) < size)
> + return AVERROR_INVALIDDATA;
> bytestream2_skip(&gbc, size);
> }
> end = bytestream2_tell(&gbc);
Seems fair.
The problem looks more general with missing bounds checks in all the H.266 code
around this, though? Compare with H.26[45], which have checks on all the reads
- seems like H.266 should be doing that.
Thanks,
- Mark
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
