This didn't actually cause a buffer overread previously, but it could result in the end of a NAL being filled with zeros silently. --- libavcodec/hevc_mp4toannexb_bsf.c | 5 +++++ 1 file changed, 5 insertions(+)
diff --git a/libavcodec/hevc_mp4toannexb_bsf.c b/libavcodec/hevc_mp4toannexb_bsf.c index fb4ea34a93..c40308f367 100644 --- a/libavcodec/hevc_mp4toannexb_bsf.c +++ b/libavcodec/hevc_mp4toannexb_bsf.c @@ -70,6 +70,10 @@ static int hevc_extradata_to_annexb(AVBSFContext *ctx) for (j = 0; j < cnt; j++) { int nalu_len = bytestream2_get_be16(&gb); + if (nalu_len < 1 || bytestream2_get_bytes_left(&gb) < nalu_len) { + av_log(ctx, AV_LOG_WARNING, "Extradata NAL ended prematurely\n"); + goto done; + } if (4 + AV_INPUT_BUFFER_PADDING_SIZE + nalu_len > SIZE_MAX - new_extradata_size) { ret = AVERROR_INVALIDDATA; @@ -86,6 +90,7 @@ static int hevc_extradata_to_annexb(AVBSFContext *ctx) } } +done: av_freep(&ctx->par_out->extradata); ctx->par_out->extradata = new_extradata; ctx->par_out->extradata_size = new_extradata_size; -- 2.18.0 _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org http://ffmpeg.org/mailman/listinfo/ffmpeg-devel