opensource/FFmpeg
1
0
Fork 0
mirror of https://github.com/FFmpeg/FFmpeg.git synced 2026-03-13 09:00:40 +08:00
Code Issues Packages Projects Releases Wiki Activity

avcodec/bsf/extract_extradata: Check that block_size is not negative

Browse Source 
Fixes: out of array access
Fixes: 490576036/clusterfuzz-testcase-minimized-ffmpeg_BSF_EXTRACT_EXTRADATA_fuzzer-4605696279904256

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
Michael Niedermayer
2026-03-07 22:02:08 +01:00
committed by James Almer
parent e5e8efae5c
commit 248b481c33
1 changed files with 5 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
libavcodec/bsf/extract_extradata.c
View File

@@ -304,7 +304,8 @@ static int write_lcevc_nalu(AVBSFContext *ctx, PutByteContext *pbc, const H2645N
while (bytestream2_get_bytes_left(&gbc) > 1) {
GetBitContext gb;
int payload_size_type, payload_type, payload_size;
int payload_size_type, payload_type;
uint64_t payload_size;
int block_size, raw_block_size, block_end;
init_get_bits8(&gb, gbc.buffer, bytestream2_get_bytes_left(&gbc));
@@ -317,6 +318,9 @@ static int write_lcevc_nalu(AVBSFContext *ctx, PutByteContext *pbc, const H2645N
if (payload_size_type == 7)
payload_size = get_mb(&gb);
if (payload_size > INT_MAX - (get_bits_count(&gb) >> 3))
return AVERROR_INVALIDDATA;
block_size = raw_block_size = payload_size + (get_bits_count(&gb) >> 3);
if (block_size >= bytestream2_get_bytes_left(&gbc))
return AVERROR_INVALIDDATA;