In palette_update_predictor, the number of entries could exceed VVC_MAX_NUM_PALETTE_PREDICTOR_SIZE. This patch clamps the size before memcpy to avoid buffer overflows.
Signed-off-by: 0xBat <[email protected]> --- libavcodec/vvc/ctu.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavcodec/vvc/ctu.c b/libavcodec/vvc/ctu.c index 18cbe0fe0f..9d56abe8fd 100644 --- a/libavcodec/vvc/ctu.c +++ b/libavcodec/vvc/ctu.c @@ -1932,6 +1932,8 @@ static void palette_update_predictor(VVCLocalContext *lc, const bool local_dual_ } } + if (i > VVC_MAX_NUM_PALETTE_PREDICTOR_SIZE) + i = VVC_MAX_NUM_PALETTE_PREDICTOR_SIZE; memcpy(pp->entries, plt->entries, i * sizeof(pp->entries[0])); pp->size = i; } -- 2.52.0.windows.1 _______________________________________________ ffmpeg-devel mailing list -- [email protected] To unsubscribe send an email to [email protected]
