Mercurial > libavcodec.hg

changeset 11698:9a4c9c165b3b libavcodec

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Check NAL unit size to avoid reading past the buffer. This fixes issue1907 Patch by Thomas Devanneaux gmail(thomdev)
author benoit
date Mon, 10 May 2010 07:08:57 +0000
parents 79a98585aa2d
children 83b49b0997e8
files h264_mp4toannexb_bsf.c
diffstat 1 files changed, 14 insertions(+), 1 deletions(-) [+]
line wrap: on
line diff
--- a/h264_mp4toannexb_bsf.c	Sun May 09 23:04:06 2010 +0000
+++ b/h264_mp4toannexb_bsf.c	Mon May 10 07:08:57 2010 +0000
@@ -55,7 +55,9 @@
                                    int keyframe) {
     H264BSFContext *ctx = bsfc->priv_data;
     uint8_t unit_type;
-    uint32_t nal_size, cumul_size = 0;
+    int32_t nal_size;
+    uint32_t cumul_size = 0;
+    const uint8_t *buf_end = buf + buf_size;
 
     /* nothing to filter */
     if (!avctx->extradata || avctx->extradata_size < 6) {
@@ -109,6 +111,9 @@
     *poutbuf_size = 0;
     *poutbuf = NULL;
     do {
+        if (buf + ctx->length_size > buf_end)
+            goto fail;
+
         if (ctx->length_size == 1)
             nal_size = buf[0];
         else if (ctx->length_size == 2)
@@ -119,6 +124,9 @@
         buf += ctx->length_size;
         unit_type = *buf & 0x1f;
 
+        if (buf + nal_size > buf_end || nal_size < 0)
+            goto fail;
+
         /* prepend only to the first type 5 NAL unit of an IDR picture */
         if (ctx->first_idr && unit_type == 5) {
             alloc_and_copy(poutbuf, poutbuf_size,
@@ -139,6 +147,11 @@
     } while (cumul_size < buf_size);
 
     return 1;
+
+fail:
+    av_freep(poutbuf);
+    *poutbuf_size = 0;
+    return AVERROR(EINVAL);
 }
 
 static void h264_mp4toannexb_close(AVBitStreamFilterContext *bsfc)