[FFmpeg-devel] [PATCH v1 4/5] avcodec/h264_sei: fix the size of user data unregistered

Limin Wang lance.lmwang at gmail.com
Wed Dec 18 03:02:55 EET 2019


On Tue, Dec 17, 2019 at 10:42:54PM +0100, Michael Niedermayer wrote:
> On Tue, Dec 17, 2019 at 06:22:16PM +0800, lance.lmwang at gmail.com wrote:
> > From: Limin Wang <lance.lmwang at gmail.com>
> > 
> > According to the specifications, the payloadSize includes the 16-byte size of UUID.
> > 
> > Signed-off-by: Limin Wang <lance.lmwang at gmail.com>
> > ---
> >  libavcodec/h264_sei.c | 7 ++++---
> >  1 file changed, 4 insertions(+), 3 deletions(-)
> > 
> > diff --git a/libavcodec/h264_sei.c b/libavcodec/h264_sei.c
> > index d4eb9c0dab..46fe8692dd 100644
> > --- a/libavcodec/h264_sei.c
> > +++ b/libavcodec/h264_sei.c
> > @@ -250,14 +250,15 @@ static int decode_unregistered_user_data(H264SEIUnregistered *h, GetBitContext *
> >      if (size < 16 || size >= INT_MAX - 16)
> >          return AVERROR_INVALIDDATA;
> >  
> > -    user_data = av_malloc(16 + size + 1);
> > +    user_data = av_malloc(size + AV_INPUT_BUFFER_PADDING_SIZE);
> 
> this can overflow, the previous check still assumes 16

Will fix it 

> 
> thx
> 
> [...]
> -- 
> Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB
> 
> Freedom in capitalist society always remains about the same as it was in
> ancient Greek republics: Freedom for slave owners. -- Vladimir Lenin



> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel at ffmpeg.org
> https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
> 
> To unsubscribe, visit link above, or email
> ffmpeg-devel-request at ffmpeg.org with subject "unsubscribe".



More information about the ffmpeg-devel mailing list