[FFmpeg-cvslog] avcodec/hevc/hevcdec: Check num_entry_point_offsets
Michael Niedermayer
git at videolan.org
Mon Aug 4 23:56:43 EEST 2025
ffmpeg | branch: release/7.0 | Michael Niedermayer <michael at niedermayer.cc> | Thu May 8 23:57:33 2025 +0200| [7c4b1badd6f071d3d7f444a988606c7237abebd5] | committer: Michael Niedermayer
avcodec/hevc/hevcdec: Check num_entry_point_offsets
The code uses int, unsigned int and uint16_t to store num_entry_point_offsets
This limits it to the smallest of the 3.
Alternatively uint16_t can be changed and then a larger limit used.
A Check will still be needed.
Fixes: 391974932/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-5966648879677440
Fixes: signed integer overflow: 2147483647 + 1 cannot be represented in type 'int'
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
(cherry picked from commit 791a333a0ea5aeee1bea12065b407ba442ac59b4)
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=7c4b1badd6f071d3d7f444a988606c7237abebd5
---
libavcodec/hevcdec.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libavcodec/hevcdec.c b/libavcodec/hevcdec.c
index 9b3f31c948..dc397e4c34 100644
--- a/libavcodec/hevcdec.c
+++ b/libavcodec/hevcdec.c
@@ -956,7 +956,7 @@ static int hls_slice_header(HEVCContext *s)
if (s->ps.pps->tiles_enabled_flag || s->ps.pps->entropy_coding_sync_enabled_flag) {
unsigned num_entry_point_offsets = get_ue_golomb_long(gb);
// It would be possible to bound this tighter but this here is simpler
- if (num_entry_point_offsets > get_bits_left(gb)) {
+ if (num_entry_point_offsets > get_bits_left(gb) || num_entry_point_offsets > UINT16_MAX) {
av_log(s->avctx, AV_LOG_ERROR, "num_entry_point_offsets %d is invalid\n", num_entry_point_offsets);
return AVERROR_INVALIDDATA;
}
More information about the ffmpeg-cvslog
mailing list