mirror of
https://github.com/FFmpeg/FFmpeg.git
synced 2024-12-23 12:43:46 +02:00
avcodec/hevc_sei: Check payload size in decode_nal_sei_message()
Fixes: out of array access Fixes: 29392/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-4821602850177024.fuzz Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
parent
8574fcbfc7
commit
0791a515d3
@ -463,6 +463,8 @@ static int decode_nal_sei_message(GetBitContext *gb, void *logctx, HEVCSEI *s,
|
|||||||
byte = get_bits(gb, 8);
|
byte = get_bits(gb, 8);
|
||||||
payload_size += byte;
|
payload_size += byte;
|
||||||
}
|
}
|
||||||
|
if (get_bits_left(gb) < 8LL*payload_size)
|
||||||
|
return AVERROR_INVALIDDATA;
|
||||||
if (nal_unit_type == HEVC_NAL_SEI_PREFIX) {
|
if (nal_unit_type == HEVC_NAL_SEI_PREFIX) {
|
||||||
return decode_nal_sei_prefix(gb, logctx, s, ps, payload_type, payload_size);
|
return decode_nal_sei_prefix(gb, logctx, s, ps, payload_type, payload_size);
|
||||||
} else { /* nal_unit_type == NAL_SEI_SUFFIX */
|
} else { /* nal_unit_type == NAL_SEI_SUFFIX */
|
||||||
|
Loading…
Reference in New Issue
Block a user