Currently during parsing the extradata, h264_mp4toannexb checks for
overreads by adding the size of the current unit to the current position
pointer and comparing this to the end position of the extradata. But
pointer comparisons and pointer arithmetic is only defined if it does not
exceed the object it is used on (one past the last element of an array
is allowed, too). In practice, this might lead to overflows. Therefore
the check has been changed, using the new bytestream2_get_bytes_leftu
function.
Furthermore, now the right error code is returned on error.
Signed-off-by: Andreas Rheinhardt <andreas.rheinha...@gmail.com>
---
libavcodec/h264_mp4toannexb_bsf.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/libavcodec/h264_mp4toannexb_bsf.c
b/libavcodec/h264_mp4toannexb_bsf.c
index f31902b506..4390bc3dc5 100644
--- a/libavcodec/h264_mp4toannexb_bsf.c
+++ b/libavcodec/h264_mp4toannexb_bsf.c
@@ -101,11 +101,11 @@ static int h264_extradata_to_annexb(AVBSFContext *ctx,
const int padding)
unit_size = bytestream2_get_be16u(gb);
total_size += unit_size + 4;
av_assert1(total_size <= INT_MAX - padding);
- if (gb->buffer + unit_size > gb->buffer_end) {
+ if (bytestream2_get_bytes_leftu(gb) < unit_size) {
av_log(ctx, AV_LOG_ERROR, "Packet header is not contained in
global extradata, "
"corrupted stream or invalid MP4/AVCC bitstream\n");
av_free(out);
- return AVERROR(EINVAL);
+ return AVERROR_INVALIDDATA;
}
if ((err = av_reallocp(&out, total_size + padding)) < 0)
return err;
--
2.20.1
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
