virtualenv/FFmpeg
1
0
Fork 0
mirror of https://github.com/FFmpeg/FFmpeg.git synced 2025-03-17 20:17:55 +02:00
Code Issues Releases Activity

avcodec/hevc_sei: Fix integer overflows in decode_nal_sei_message()

Browse Source 
Fixes: signed integer overflow: 2147483520 + 255 cannot be represented in type 'int'
Fixes: 4554/clusterfuzz-testcase-minimized-4843714515042304

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 991ef6e5b9a6a9d95e274ff6bff52db1c82b3808)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
Michael Niedermayer 2017-12-15 17:50:12 +01:00
parent badca11741
commit bdba0f6786
1 changed files with 4 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
libavcodec/hevc_sei.c
View File

@ -344,11 +344,15 @@ static int decode_nal_sei_message(HEVCContext *s)
av_log(s->avctx, AV_LOG_DEBUG, "Decoding SEI\n"); av_log(s->avctx, AV_LOG_DEBUG, "Decoding SEI\n");
while (byte == 0xFF) { while (byte == 0xFF) {
if (get_bits_left(gb) < 16 || payload_type > INT_MAX - 255)
return AVERROR_INVALIDDATA;
byte = get_bits(gb, 8); byte = get_bits(gb, 8);
payload_type += byte; payload_type += byte;
} }
byte = 0xFF; byte = 0xFF;
while (byte == 0xFF) { while (byte == 0xFF) {
if (get_bits_left(gb) < 8 + 8LL*payload_size)
return AVERROR_INVALIDDATA;
byte = get_bits(gb, 8); byte = get_bits(gb, 8);
payload_size += byte; payload_size += byte;
} }