eessppeelllloo/ffmpeg
1
0
Fork 0
mirror of https://git.ffmpeg.org/ffmpeg.git synced 2025-12-13 18:40:03 +01:00
Code Issues Packages Projects Releases Wiki Activity

avcodec/hevc_sei: Fix integer overflows in decode_nal_sei_message()

Browse Source 
Fixes: signed integer overflow: 2147483520 + 255 cannot be represented in type 'int'
Fixes: 4554/clusterfuzz-testcase-minimized-4843714515042304

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 991ef6e5b9)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
Michael Niedermayer
2017-12-15 17:50:12 +01:00
parent b7f48cd044
commit 01f2bc5ec8
1 changed files with 4 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
libavcodec/hevc_sei.c
View File

@@ -344,11 +344,15 @@ static int decode_nal_sei_message(HEVCContext *s)
av_log(s->avctx, AV_LOG_DEBUG, "Decoding SEI\n"); av_log(s->avctx, AV_LOG_DEBUG, "Decoding SEI\n");
while (byte == 0xFF) { while (byte == 0xFF) {
if (get_bits_left(gb) < 16 || payload_type > INT_MAX - 255)
return AVERROR_INVALIDDATA;
byte = get_bits(gb, 8); byte = get_bits(gb, 8);
payload_type += byte; payload_type += byte;
} }
byte = 0xFF; byte = 0xFF;
while (byte == 0xFF) { while (byte == 0xFF) {
if (get_bits_left(gb) < 8 + 8LL*payload_size)
return AVERROR_INVALIDDATA;
byte = get_bits(gb, 8); byte = get_bits(gb, 8);
payload_size += byte; payload_size += byte;
} }