On 22/04/2024 02:31, Michael Niedermayer wrote:
> Found-by-reviewing: CID1419833 Untrusted loop bound
> 
> Sponsored-by: Sovereign Tech Fund
> Signed-off-by: Michael Niedermayer <mich...@niedermayer.cc>
> ---
>  libavcodec/cbs_h2645.c | 4 ++++
>  1 file changed, 4 insertions(+)
> 
> diff --git a/libavcodec/cbs_h2645.c b/libavcodec/cbs_h2645.c
> index fe2e383ff33..1a45d424bae 100644
> --- a/libavcodec/cbs_h2645.c
> +++ b/libavcodec/cbs_h2645.c
> @@ -709,7 +709,11 @@ static int 
> cbs_h2645_split_fragment(CodedBitstreamContext *ctx,
>  
>              start = bytestream2_tell(&gbc);
>              for(i = 0; i < num_nalus; i++) {
> +                if (bytestream2_get_bytes_left(&gbc) < 2)
> +                    return AVERROR_INVALIDDATA;
>                  size = bytestream2_get_be16(&gbc);
> +                if (bytestream2_get_bytes_left(&gbc) < size)
> +                    return AVERROR_INVALIDDATA;
>                  bytestream2_skip(&gbc, size);
>              }
>              end = bytestream2_tell(&gbc);

Seems fair.

The problem looks more general with missing bounds checks in all the H.266 code 
around this, though?  Compare with H.26[45], which have checks on all the reads 
- seems like H.266 should be doing that.

Thanks,

- Mark
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".

Reply via email to