[FFmpeg-devel] [PATCH 04/36] avcodec/vp9_superframe_bsf: Check superframe size for overflow
Andreas Rheinhardt
andreas.rheinhardt at gmail.com
Sat May 30 19:05:09 EEST 2020
This is not dangerous now, because init_get_bits8() already restricts
the size of each packet to INT_MAX/8 - AV_INPUT_BUFFER_PADDING_SIZE.
But it is nevertheless better to check this explicitly.
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at gmail.com>
---
libavcodec/vp9_superframe_bsf.c | 14 +++++++++-----
1 file changed, 9 insertions(+), 5 deletions(-)
diff --git a/libavcodec/vp9_superframe_bsf.c b/libavcodec/vp9_superframe_bsf.c
index f330970acc..a8b58a7fd3 100644
--- a/libavcodec/vp9_superframe_bsf.c
+++ b/libavcodec/vp9_superframe_bsf.c
@@ -42,10 +42,11 @@ static void vp9_superframe_flush(AVBSFContext *ctx)
}
static void stats(AVPacket * const *in, int n_in,
- unsigned *_max, unsigned *_sum)
+ unsigned *_max, uint64_t *_sum)
{
int n;
- unsigned max = 0, sum = 0;
+ uint64_t sum = 0;
+ unsigned max = 0;
for (n = 0; n < n_in; n++) {
unsigned sz = in[n]->size;
@@ -61,15 +62,18 @@ static void stats(AVPacket * const *in, int n_in,
static int merge_superframe(AVPacket * const *in, int n_in, AVPacket *out)
{
- unsigned max, sum, mag, marker, n, sz;
+ unsigned max, mag, marker, n;
+ uint64_t sum;
uint8_t *ptr;
int res;
stats(in, n_in, &max, &sum);
mag = av_log2(max) >> 3;
marker = 0xC0 + (mag << 3) + (n_in - 1);
- sz = sum + 2 + (mag + 1) * n_in;
- res = av_new_packet(out, sz);
+ sum += 2 + (mag + 1) * n_in;
+ if (sum > INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE)
+ return AVERROR(ERANGE);
+ res = av_new_packet(out, sum);
if (res < 0)
return res;
ptr = out->data;
--
2.20.1
More information about the ffmpeg-devel
mailing list