[FFmpeg-devel] [PR] avcodec/bsf/extract_extradata: Check that block_size is not negative (PR #22442)

Sat, 07 Mar 2026 16:38:46 -0800 

PR #22442 opened by michaelni
URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/22442
Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/22442.patch

Fixes: out of array access
Fixes: 
490576036/clusterfuzz-testcase-minimized-ffmpeg_BSF_EXTRACT_EXTRADATA_fuzzer-4605696279904256

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <[email protected]>


>From b7e1a7f45f6171eed20b34063d0f334e14846379 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <[email protected]>
Date: Sat, 7 Mar 2026 22:02:08 +0100
Subject: [PATCH] avcodec/bsf/extract_extradata: Check that block_size is not
 negative

Fixes: out of array access
Fixes: 
490576036/clusterfuzz-testcase-minimized-ffmpeg_BSF_EXTRACT_EXTRADATA_fuzzer-4605696279904256

Found-by: continuous fuzzing process 
https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <[email protected]>
---
 libavcodec/bsf/extract_extradata.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/libavcodec/bsf/extract_extradata.c 
b/libavcodec/bsf/extract_extradata.c
index 306ede5136..08293ea7e1 100644
--- a/libavcodec/bsf/extract_extradata.c
+++ b/libavcodec/bsf/extract_extradata.c
@@ -304,7 +304,8 @@ static int write_lcevc_nalu(AVBSFContext *ctx, 
PutByteContext *pbc, const H2645N
 
     while (bytestream2_get_bytes_left(&gbc) > 1) {
         GetBitContext gb;
-        int payload_size_type, payload_type, payload_size;
+        int payload_size_type, payload_type;
+        uint64_t payload_size;
         int block_size, raw_block_size, block_end;
 
         init_get_bits8(&gb, gbc.buffer, bytestream2_get_bytes_left(&gbc));
@@ -317,6 +318,9 @@ static int write_lcevc_nalu(AVBSFContext *ctx, 
PutByteContext *pbc, const H2645N
         if (payload_size_type == 7)
             payload_size = get_mb(&gb);
 
+        if (payload_size > INT_MAX - (get_bits_count(&gb) >> 3))
+            return AVERROR_INVALIDDATA;
+
         block_size = raw_block_size = payload_size + (get_bits_count(&gb) >> 
3);
         if (block_size >= bytestream2_get_bytes_left(&gbc))
             return AVERROR_INVALIDDATA;
-- 
2.52.0

_______________________________________________
ffmpeg-devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to