[FFmpeg-cvslog] avcodec/hevc_sei: keep size in sync with the registered ITU-T T35 SEI GetBitContext

James Almer git at videolan.org
Mon Dec 7 19:33:03 EET 2020 

ffmpeg | branch: master | James Almer <jamrial at gmail.com> | Sun Dec  6 12:30:13 2020 -0300| [b9f7c9b2723f44aa7850c24f9dcbb6a4e3ac555f] | committer: James Almer

avcodec/hevc_sei: keep size in sync with the registered ITU-T T35 SEI GetBitContext

Signed-off-by: James Almer <jamrial at gmail.com>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=b9f7c9b2723f44aa7850c24f9dcbb6a4e3ac555f
---

 libavcodec/hevc_sei.c | 21 ++++++++++++++++-----
 1 file changed, 16 insertions(+), 5 deletions(-)

diff --git a/libavcodec/hevc_sei.c b/libavcodec/hevc_sei.c
index 8af9f9b29d..159ef5830a 100644
--- a/libavcodec/hevc_sei.c
+++ b/libavcodec/hevc_sei.c
@@ -241,9 +241,9 @@ static int decode_nal_sei_user_data_registered_itu_t_t35(HEVCSEI *s, GetBitConte
     uint8_t country_code = 0;
     uint16_t provider_code = 0;
 
-    if (size < 7)
+    if (size < 3)
         return AVERROR(EINVAL);
-    size -= 7;
+    size -= 3;
 
     country_code = get_bits(gb, 8);
     if (country_code == 0xFF) {
@@ -258,16 +258,27 @@ static int decode_nal_sei_user_data_registered_itu_t_t35(HEVCSEI *s, GetBitConte
         // A/341 Amendment - 2094-40
         const uint16_t smpte2094_40_provider_oriented_code = 0x0001;
         const uint8_t smpte2094_40_application_identifier = 0x04;
+        uint16_t provider_oriented_code;
+        uint8_t application_identifier;
 
-        uint16_t provider_oriented_code = get_bits(gb, 16);
-        uint8_t application_identifier = get_bits(gb, 8);
+        if (size < 3)
+            return AVERROR(EINVAL);
+        size -= 3;
 
+        provider_oriented_code = get_bits(gb, 16);
+        application_identifier = get_bits(gb, 8);
         if (provider_oriented_code == smpte2094_40_provider_oriented_code &&
             application_identifier == smpte2094_40_application_identifier) {
             return decode_registered_user_data_dynamic_hdr_plus(&s->dynamic_hdr_plus, gb, size);
         }
     } else {
-        uint32_t user_identifier = get_bits_long(gb, 32);
+        uint32_t user_identifier;
+
+        if (size < 4)
+            return AVERROR(EINVAL);
+        size -= 4;
+
+        user_identifier = get_bits_long(gb, 32);
         switch (user_identifier) {
         case MKBETAG('G', 'A', '9', '4'):
             return decode_registered_user_data_closed_caption(&s->a53_caption, gb, size);

More information about the ffmpeg-cvslog mailing list