[FFmpeg-devel] [PATCH 3/3] avcodec/cbs_h2645: Avoid an unchecked bytesteram read
Michael Niedermayer
michael at niedermayer.cc
Tue Jul 25 23:41:49 EEST 2023
On Mon, Jul 24, 2023 at 11:28:20PM -0300, James Almer wrote:
> On 7/24/2023 9:46 PM, Michael Niedermayer wrote:
> > The unchecked read caused the 2nd subsequent tell call to move backward resulting
> > in a negative length
> >
> > Fixes: assertion failure
> > Fixes: 60276/clusterfuzz-testcase-minimized-ffmpeg_BSF_TRACE_HEADERS_fuzzer-5434126636023808
> >
> > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> > Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> > ---
> > libavcodec/cbs_h2645.c | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/libavcodec/cbs_h2645.c b/libavcodec/cbs_h2645.c
> > index 34c5d1d372..21c8bc76d5 100644
> > --- a/libavcodec/cbs_h2645.c
> > +++ b/libavcodec/cbs_h2645.c
> > @@ -695,7 +695,7 @@ static int cbs_h2645_split_fragment(CodedBitstreamContext *ctx,
> > int nal_unit_type = bytestream2_get_byte(&gbc) & 0x1f;
> > unsigned int num_nalus = 1;
> > if(nal_unit_type != VVC_DCI_NUT && nal_unit_type != VVC_OPI_NUT)
> > - num_nalus = bytestream2_get_be16u(&gbc);
> > + num_nalus = bytestream2_get_be16(&gbc);
> > start = bytestream2_tell(&gbc);
> > for(i = 0; i < num_nalus; i++) {
>
> LGTM.
will apply
thx
[...]
--
Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
"You are 36 times more likely to die in a bathtub than at the hands of a
terrorist. Also, you are 2.5 times more likely to become a president and
2 times more likely to become an astronaut, than to die in a terrorist
attack." -- Thoughty2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <https://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20230725/6e4c23d5/attachment.sig>
More information about the ffmpeg-devel
mailing list