avcodec/hevc_sei: keep size in sync with the registered ITU-T T35 SEI GetBitContext

Signed-off-by: James Almer <jamrial@gmail.com>

diff --git a/libavcodec/hevc_sei.c b/libavcodec/hevc_sei.c
index 8af9f9b29d9d3f83401b8b514a763563eb70e16f..159ef5830a2084b58ebe5f13746ce882a4b87d0c 100644 (file)
--- a/libavcodec/hevc_sei.c
+++ b/libavcodec/hevc_sei.c
@@ -241,9 +241,9 @@ static int decode_nal_sei_user_data_registered_itu_t_t35(HEVCSEI *s, GetBitConte
     uint8_t country_code = 0;
     uint16_t provider_code = 0;
 
-    if (size < 7)
+    if (size < 3)
         return AVERROR(EINVAL);
-    size -= 7;
+    size -= 3;
 
     country_code = get_bits(gb, 8);
     if (country_code == 0xFF) {
@@ -258,16 +258,27 @@ static int decode_nal_sei_user_data_registered_itu_t_t35(HEVCSEI *s, GetBitConte
         // A/341 Amendment - 2094-40
         const uint16_t smpte2094_40_provider_oriented_code = 0x0001;
         const uint8_t smpte2094_40_application_identifier = 0x04;
+        uint16_t provider_oriented_code;
+        uint8_t application_identifier;
 
-        uint16_t provider_oriented_code = get_bits(gb, 16);
-        uint8_t application_identifier = get_bits(gb, 8);
+        if (size < 3)
+            return AVERROR(EINVAL);
+        size -= 3;
 
+        provider_oriented_code = get_bits(gb, 16);
+        application_identifier = get_bits(gb, 8);
         if (provider_oriented_code == smpte2094_40_provider_oriented_code &&
             application_identifier == smpte2094_40_application_identifier) {
             return decode_registered_user_data_dynamic_hdr_plus(&s->dynamic_hdr_plus, gb, size);
         }
     } else {
-        uint32_t user_identifier = get_bits_long(gb, 32);
+        uint32_t user_identifier;
+
+        if (size < 4)
+            return AVERROR(EINVAL);
+        size -= 4;
+
+        user_identifier = get_bits_long(gb, 32);
         switch (user_identifier) {
         case MKBETAG('G', 'A', '9', '4'):
             return decode_registered_user_data_closed_caption(&s->a53_caption, gb, size);