[FFmpeg-devel] [PATCH v3 1/2] lavc/hevc_mp4toannexb: Fix integer overflow

[Andriy Gelman]

From: Andriy Gelman <andriy.gelman at gmail.com>

Fixes a check where the grow_by packet size cannot exceed INT_MAX.

Although the complete heap allocation check should ensure that
(uint64_t)nalu_size + extra_size + 4 + out->size + AV_INPUT_BUFFER_PADDING_SIZE <= INT_MAX,

it suffices to only check that the grow_by size does exceed INT_MAX. The
final memory check is done internally in av_packet_grow(). This approach
means that no casts to uint64_t are needed.

Also, note that extra_size < INT_MAX - 4, because from hevc_extradata_to_annexb():
extra_size <= INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE.

Found with libFuzzer:
4294967044 cannot be represented as int.

Signed-off-by: Andriy Gelman <andriy.gelman at gmail.com>
---
 libavcodec/hevc_mp4toannexb_bsf.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/libavcodec/hevc_mp4toannexb_bsf.c b/libavcodec/hevc_mp4toannexb_bsf.c
index 09bce5b34c2..f1e1a45abd1 100644
--- a/libavcodec/hevc_mp4toannexb_bsf.c
+++ b/libavcodec/hevc_mp4toannexb_bsf.c
@@ -66,7 +66,7 @@ static int hevc_extradata_to_annexb(AVBSFContext *ctx)
         for (j = 0; j < cnt; j++) {
             int nalu_len = bytestream2_get_be16(&gb);
 
-            if (4 + AV_INPUT_BUFFER_PADDING_SIZE + nalu_len > SIZE_MAX - new_extradata_size) {
+            if (4 + AV_INPUT_BUFFER_PADDING_SIZE + nalu_len > INT_MAX - new_extradata_size) {
                 ret = AVERROR_INVALIDDATA;
                 goto fail;
             }
@@ -152,8 +152,7 @@ static int hevc_mp4toannexb_filter(AVBSFContext *ctx, AVPacket *out)
         extra_size    = add_extradata * ctx->par_out->extradata_size;
         got_irap     |= is_irap;
 
-        if (SIZE_MAX - nalu_size < 4 ||
-            SIZE_MAX - 4 - nalu_size < extra_size) {
+        if (INT_MAX - 4 - extra_size < nalu_size) {
             ret = AVERROR_INVALIDDATA;
             goto fail;
         }
-- 
2.24.0