This didn't actually cause a buffer overread previously, but it could result
in the end of a NAL being filled with zeros silently.
---
libavcodec/hevc_mp4toannexb_bsf.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/libavcodec/hevc_mp4toannexb_bsf.c
b/libavcodec/hevc_mp4toannexb_bsf.c
index fb4ea34a93..c40308f367 100644
--- a/libavcodec/hevc_mp4toannexb_bsf.c
+++ b/libavcodec/hevc_mp4toannexb_bsf.c
@@ -70,6 +70,10 @@ static int hevc_extradata_to_annexb(AVBSFContext *ctx)
for (j = 0; j < cnt; j++) {
int nalu_len = bytestream2_get_be16(&gb);
+ if (nalu_len < 1 || bytestream2_get_bytes_left(&gb) < nalu_len) {
+ av_log(ctx, AV_LOG_WARNING, "Extradata NAL ended
prematurely\n");
+ goto done;
+ }
if (4 + AV_INPUT_BUFFER_PADDING_SIZE + nalu_len > SIZE_MAX -
new_extradata_size) {
ret = AVERROR_INVALIDDATA;
@@ -86,6 +90,7 @@ static int hevc_extradata_to_annexb(AVBSFContext *ctx)
}
}
+done:
av_freep(&ctx->par_out->extradata);
ctx->par_out->extradata = new_extradata;
ctx->par_out->extradata_size = new_extradata_size;
--
2.18.0
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-devel
