[FFmpeg-devel] [PATCH v1 4/5] avcodec/h264_sei: fix the size of user data unregistered

Michael Niedermayer michael at niedermayer.cc
Tue Dec 17 23:42:54 EET 2019


On Tue, Dec 17, 2019 at 06:22:16PM +0800, lance.lmwang at gmail.com wrote:
> From: Limin Wang <lance.lmwang at gmail.com>
> 
> According to the specifications, the payloadSize includes the 16-byte size of UUID.
> 
> Signed-off-by: Limin Wang <lance.lmwang at gmail.com>
> ---
>  libavcodec/h264_sei.c | 7 ++++---
>  1 file changed, 4 insertions(+), 3 deletions(-)
> 
> diff --git a/libavcodec/h264_sei.c b/libavcodec/h264_sei.c
> index d4eb9c0dab..46fe8692dd 100644
> --- a/libavcodec/h264_sei.c
> +++ b/libavcodec/h264_sei.c
> @@ -250,14 +250,15 @@ static int decode_unregistered_user_data(H264SEIUnregistered *h, GetBitContext *
>      if (size < 16 || size >= INT_MAX - 16)
>          return AVERROR_INVALIDDATA;
>  
> -    user_data = av_malloc(16 + size + 1);
> +    user_data = av_malloc(size + AV_INPUT_BUFFER_PADDING_SIZE);

this can overflow, the previous check still assumes 16

thx

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Freedom in capitalist society always remains about the same as it was in
ancient Greek republics: Freedom for slave owners. -- Vladimir Lenin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: not available
URL: <https://ffmpeg.org/pipermail/ffmpeg-devel/attachments/20191217/e4a80999/attachment.sig>


More information about the ffmpeg-devel mailing list