[FFmpeg-devel] [PATCH v2 1/3] lavc/hevc_mp4toannexb: Fix integer overflow
Andriy Gelman
andriy.gelman at gmail.com
Wed Dec 4 02:04:09 EET 2019
From: Andriy Gelman <andriy.gelman at gmail.com>
Check packet grow size against INT_MAX instead of SIZE_MAX.
Found with libFuzzer:
4294967044 cannot be represented as int.
Signed-off-by: Andriy Gelman <andriy.gelman at gmail.com>
---
libavcodec/hevc_mp4toannexb_bsf.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/libavcodec/hevc_mp4toannexb_bsf.c b/libavcodec/hevc_mp4toannexb_bsf.c
index 09bce5b34c2..bf4c25b3b7b 100644
--- a/libavcodec/hevc_mp4toannexb_bsf.c
+++ b/libavcodec/hevc_mp4toannexb_bsf.c
@@ -66,7 +66,7 @@ static int hevc_extradata_to_annexb(AVBSFContext *ctx)
for (j = 0; j < cnt; j++) {
int nalu_len = bytestream2_get_be16(&gb);
- if (4 + AV_INPUT_BUFFER_PADDING_SIZE + nalu_len > SIZE_MAX - new_extradata_size) {
+ if (4 + AV_INPUT_BUFFER_PADDING_SIZE + nalu_len > INT_MAX - new_extradata_size) {
ret = AVERROR_INVALIDDATA;
goto fail;
}
@@ -152,8 +152,8 @@ static int hevc_mp4toannexb_filter(AVBSFContext *ctx, AVPacket *out)
extra_size = add_extradata * ctx->par_out->extradata_size;
got_irap |= is_irap;
- if (SIZE_MAX - nalu_size < 4 ||
- SIZE_MAX - 4 - nalu_size < extra_size) {
+ if (INT_MAX < 4 + (uint64_t)nalu_size ||
+ INT_MAX - 4 < extra_size + (uint64_t)nalu_size) {
ret = AVERROR_INVALIDDATA;
goto fail;
}
--
2.24.0
More information about the ffmpeg-devel
mailing list