[FFmpeg-cvslog] avcodec/hevc: Check entry_point_offsets

Michael Niedermayer git at videolan.org
Sun Dec 6 04:41:12 CET 2015


ffmpeg | branch: release/2.8 | Michael Niedermayer <michael at niedermayer.cc> | Fri Nov 27 18:30:05 2015 +0100| [31e54f41a023d426909d55b54275cd33faf20296] | committer: Michael Niedermayer

avcodec/hevc: Check entry_point_offsets

Fixes out of array read
Fixes: 007c4a36608ebdf27ee260ad60a81184/asan_heap-oob_32076b4_2243_116b1cb29d91cc4974d6680e3d10bd91.bit

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
(cherry picked from commit ef9f7bbfa47317f9d46bf46982a394d2be78503c)

Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=31e54f41a023d426909d55b54275cd33faf20296
---

 libavcodec/hevc.c |    8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/libavcodec/hevc.c b/libavcodec/hevc.c
index e8c78b0..8ee2abc 100644
--- a/libavcodec/hevc.c
+++ b/libavcodec/hevc.c
@@ -2440,7 +2440,7 @@ static int hls_slice_data_wpp(HEVCContext *s, const HEVCNAL *nal)
     HEVCLocalContext *lc = s->HEVClc;
     int *ret = av_malloc_array(s->sh.num_entry_point_offsets + 1, sizeof(int));
     int *arg = av_malloc_array(s->sh.num_entry_point_offsets + 1, sizeof(int));
-    int offset;
+    int64_t offset;
     int startheader, cmpt = 0;
     int i, j, res = 0;
 
@@ -2487,6 +2487,11 @@ static int hls_slice_data_wpp(HEVCContext *s, const HEVCNAL *nal)
     }
     if (s->sh.num_entry_point_offsets != 0) {
         offset += s->sh.entry_point_offset[s->sh.num_entry_point_offsets - 1] - cmpt;
+        if (length < offset) {
+            av_log(s->avctx, AV_LOG_ERROR, "entry_point_offset table is corrupted\n");
+            res = AVERROR_INVALIDDATA;
+            goto error;
+        }
         s->sh.size[s->sh.num_entry_point_offsets - 1] = length - offset;
         s->sh.offset[s->sh.num_entry_point_offsets - 1] = offset;
 
@@ -2513,6 +2518,7 @@ static int hls_slice_data_wpp(HEVCContext *s, const HEVCNAL *nal)
 
     for (i = 0; i <= s->sh.num_entry_point_offsets; i++)
         res += ret[i];
+error:
     av_free(ret);
     av_free(arg);
     return res;



More information about the ffmpeg-cvslog mailing list