X-Git-Url: https://git.sesse.net/?a=blobdiff_plain;f=libavcodec%2Fhevc_mp4toannexb_bsf.c;h=ba1deb28489cf5f2723b919e7dc6482eb7057959;hb=0bf3a7361d17d596a5044882098f56817db0e103;hp=09bce5b34c24d5fedd9ed12bedc7b216e1f9a319;hpb=47e12966b75490cfa5fb8ed65a48a9a3d84a7bce;p=ffmpeg diff --git a/libavcodec/hevc_mp4toannexb_bsf.c b/libavcodec/hevc_mp4toannexb_bsf.c index 09bce5b34c2..ba1deb28489 100644 --- a/libavcodec/hevc_mp4toannexb_bsf.c +++ b/libavcodec/hevc_mp4toannexb_bsf.c @@ -26,6 +26,7 @@ #include "avcodec.h" #include "bsf.h" +#include "bsf_internal.h" #include "bytestream.h" #include "hevc.h" @@ -141,9 +142,18 @@ static int hevc_mp4toannexb_filter(AVBSFContext *ctx, AVPacket *out) int nalu_type; int is_irap, add_extradata, extra_size, prev_size; + if (bytestream2_get_bytes_left(&gb) < s->length_size) { + ret = AVERROR_INVALIDDATA; + goto fail; + } for (i = 0; i < s->length_size; i++) nalu_size = (nalu_size << 8) | bytestream2_get_byte(&gb); + if (nalu_size < 2 || nalu_size > bytestream2_get_bytes_left(&gb)) { + ret = AVERROR_INVALIDDATA; + goto fail; + } + nalu_type = (bytestream2_peek_byte(&gb) >> 1) & 0x3f; /* prepend extradata to IRAP frames */ @@ -152,8 +162,7 @@ static int hevc_mp4toannexb_filter(AVBSFContext *ctx, AVPacket *out) extra_size = add_extradata * ctx->par_out->extradata_size; got_irap |= is_irap; - if (SIZE_MAX - nalu_size < 4 || - SIZE_MAX - 4 - nalu_size < extra_size) { + if (FFMIN(INT_MAX, SIZE_MAX) < 4ULL + nalu_size + extra_size) { ret = AVERROR_INVALIDDATA; goto fail; } @@ -164,7 +173,7 @@ static int hevc_mp4toannexb_filter(AVBSFContext *ctx, AVPacket *out) if (ret < 0) goto fail; - if (add_extradata) + if (extra_size) memcpy(out->data + prev_size, ctx->par_out->extradata, extra_size); AV_WB32(out->data + prev_size + extra_size, 1); bytestream2_get_buffer(&gb, out->data + prev_size + 4 + extra_size, nalu_size);