1
0
mirror of https://github.com/FFmpeg/FFmpeg.git synced 2024-12-23 12:43:46 +02:00

avcodec/hevc_sei: Check payload size in decode_nal_sei_message()

Fixes: out of array access
Fixes: 29392/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-4821602850177024.fuzz

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
Michael Niedermayer 2021-01-31 14:59:27 +01:00
parent 8574fcbfc7
commit 0791a515d3

View File

@ -463,6 +463,8 @@ static int decode_nal_sei_message(GetBitContext *gb, void *logctx, HEVCSEI *s,
byte = get_bits(gb, 8); byte = get_bits(gb, 8);
payload_size += byte; payload_size += byte;
} }
if (get_bits_left(gb) < 8LL*payload_size)
return AVERROR_INVALIDDATA;
if (nal_unit_type == HEVC_NAL_SEI_PREFIX) { if (nal_unit_type == HEVC_NAL_SEI_PREFIX) {
return decode_nal_sei_prefix(gb, logctx, s, ps, payload_type, payload_size); return decode_nal_sei_prefix(gb, logctx, s, ps, payload_type, payload_size);
} else { /* nal_unit_type == NAL_SEI_SUFFIX */ } else { /* nal_unit_type == NAL_SEI_SUFFIX */