[FFmpeg-devel] [PATCH] avcodec/av1_parse: Check obu_size

James Almer jamrial at gmail.com
Sun Oct 14 17:03:29 EEST 2018


On 10/14/2018 10:43 AM, Michael Niedermayer wrote:
> Fixes: out of array read
> Fixes: SIGSEGV_get_obu_bit_length_av1_parse
> 
> Found-by: keval shah <skeval65 at gmail.com>
> Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
> ---
>  libavcodec/av1_parse.h | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/libavcodec/av1_parse.h b/libavcodec/av1_parse.h
> index 276af33ba9..312d8825e1 100644
> --- a/libavcodec/av1_parse.h
> +++ b/libavcodec/av1_parse.h
> @@ -130,6 +130,9 @@ static inline int parse_obu_header(const uint8_t *buf, int buf_size,
>      if (get_bits_left(&gb) < 0)
>          return AVERROR_INVALIDDATA;
>  
> +    if (*obu_size > (uint64_t)buf_size - get_bits_count(&gb) / 8)
> +        return AVERROR_INVALIDDATA;
> +
>      *start_pos = get_bits_count(&gb) / 8;
>  
>      size = *obu_size + *start_pos;

Right below this line there's the check

    if (size > INT_MAX)
        return AVERROR(ERANGE);

So i think you could just change it to "size > (int64_t)buf_size" and
achieve the same effect without adding an extra check.


More information about the ffmpeg-devel mailing list