[FFmpeg-devel] [PATCH v3 1/2] lavc/hevc_mp4toannexb: Fix integer overflow
Andriy Gelman
andriy.gelman at gmail.com
Fri Dec 6 15:55:40 EET 2019
From: Andriy Gelman <andriy.gelman at gmail.com>
Fixes a check where the grow_by packet size cannot exceed INT_MAX.
Although the complete heap allocation check should ensure that
(uint64_t)nalu_size + extra_size + 4 + out->size + AV_INPUT_BUFFER_PADDING_SIZE <= INT_MAX,
it suffices to only check that the grow_by size does exceed INT_MAX. The
final memory check is done internally in av_packet_grow(). This approach
means that no casts to uint64_t are needed.
Also, note that extra_size < INT_MAX - 4, because from hevc_extradata_to_annexb():
extra_size <= INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE.
Found with libFuzzer:
4294967044 cannot be represented as int.
Signed-off-by: Andriy Gelman <andriy.gelman at gmail.com>
---
libavcodec/hevc_mp4toannexb_bsf.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/libavcodec/hevc_mp4toannexb_bsf.c b/libavcodec/hevc_mp4toannexb_bsf.c
index 09bce5b34c2..f1e1a45abd1 100644
--- a/libavcodec/hevc_mp4toannexb_bsf.c
+++ b/libavcodec/hevc_mp4toannexb_bsf.c
@@ -66,7 +66,7 @@ static int hevc_extradata_to_annexb(AVBSFContext *ctx)
for (j = 0; j < cnt; j++) {
int nalu_len = bytestream2_get_be16(&gb);
- if (4 + AV_INPUT_BUFFER_PADDING_SIZE + nalu_len > SIZE_MAX - new_extradata_size) {
+ if (4 + AV_INPUT_BUFFER_PADDING_SIZE + nalu_len > INT_MAX - new_extradata_size) {
ret = AVERROR_INVALIDDATA;
goto fail;
}
@@ -152,8 +152,7 @@ static int hevc_mp4toannexb_filter(AVBSFContext *ctx, AVPacket *out)
extra_size = add_extradata * ctx->par_out->extradata_size;
got_irap |= is_irap;
- if (SIZE_MAX - nalu_size < 4 ||
- SIZE_MAX - 4 - nalu_size < extra_size) {
+ if (INT_MAX - 4 - extra_size < nalu_size) {
ret = AVERROR_INVALIDDATA;
goto fail;
}
--
2.24.0
More information about the ffmpeg-devel
mailing list