[FFmpeg-devel] [PATCH v2 1/2] avcodec/vvc_mp4toannexb: check bytes left for nalu_len
Nuo Mi
nuomi2021 at gmail.com
Fri Feb 9 13:16:30 EET 2024
Fixes: fuzzer timeout
Fixes: 65253/clusterfuzz-testcase-minimized-ffmpeg_BSF_VVC_MP4TOANNEXB_fuzzer-4972412487467008
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at outlook.com>
---
libavcodec/bsf/vvc_mp4toannexb.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/libavcodec/bsf/vvc_mp4toannexb.c b/libavcodec/bsf/vvc_mp4toannexb.c
index 25c3726918..36bdae8f49 100644
--- a/libavcodec/bsf/vvc_mp4toannexb.c
+++ b/libavcodec/bsf/vvc_mp4toannexb.c
@@ -155,10 +155,11 @@ static int vvc_extradata_to_annexb(AVBSFContext *ctx)
}
for (j = 0; j < cnt; j++) {
- int nalu_len = bytestream2_get_be16(&gb);
+ const int nalu_len = bytestream2_get_be16(&gb);
- if (4 + AV_INPUT_BUFFER_PADDING_SIZE + nalu_len >
- SIZE_MAX - new_extradata_size) {
+ if (!nalu_len ||
+ nalu_len > bytestream2_get_bytes_left(&gb) ||
+ 4 + AV_INPUT_BUFFER_PADDING_SIZE + nalu_len > SIZE_MAX - new_extradata_size) {
ret = AVERROR_INVALIDDATA;
goto fail;
}
--
2.25.1
More information about the ffmpeg-devel
mailing list