eessppeelllloo/ffmpeg
1
0
Fork 0
mirror of https://git.ffmpeg.org/ffmpeg.git synced 2025-12-16 03:50:05 +01:00
Code Issues Packages Projects Releases Wiki Activity

avcodec/hevc/sei: prevent storing a potentially bogus num_ref_displays value in HEVCSEITDRDI

Browse Source 
Fixes: 439711052/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-4956250308935680
Fixes: out of array access

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit d448d6d1a0)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
James Almer
2025-10-09 00:31:10 -03:00
committed by Michael Niedermayer
parent 638cafa70b
commit a6ac0c6841
1 changed files with 5 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
libavcodec/hevc/sei.c
View File

@@ -152,6 +152,8 @@ static int decode_nal_sei_timecode(HEVCSEITimeCode *s, GetBitContext *gb)
static int decode_nal_sei_3d_reference_displays_info(HEVCSEITDRDI *s, GetBitContext *gb)
{
unsigned num_ref_displays;
s->prec_ref_display_width = get_ue_golomb(gb);
if (s->prec_ref_display_width > 31)
return AVERROR_INVALIDDATA;
@@ -161,10 +163,10 @@ static int decode_nal_sei_3d_reference_displays_info(HEVCSEITDRDI *s, GetBitCont
if (s->prec_ref_viewing_dist > 31)
return AVERROR_INVALIDDATA;
}
s->num_ref_displays = get_ue_golomb(gb);
if (s->num_ref_displays > 31)
num_ref_displays = get_ue_golomb(gb);
if (num_ref_displays > 31)
return AVERROR_INVALIDDATA;
s->num_ref_displays += 1;
s->num_ref_displays = num_ref_displays + 1;
for (int i = 0; i < s->num_ref_displays; i++) {
int length;