[FFmpeg-cvslog] avcodec/evc_frame_merge: ensure the assembled buffer fits in an AVPacket

[James Almer]

ffmpeg | branch: master | James Almer <jamrial at gmail.com> | Wed Jun 21 17:10:47 2023 -0300| [b1b45ac9d445752e7cb0e10b2b9ee9aa4023e3a0] | committer: James Almer

avcodec/evc_frame_merge: ensure the assembled buffer fits in an AVPacket

Signed-off-by: James Almer <jamrial at gmail.com>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=b1b45ac9d445752e7cb0e10b2b9ee9aa4023e3a0
---

 libavcodec/evc_frame_merge_bsf.c | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/libavcodec/evc_frame_merge_bsf.c b/libavcodec/evc_frame_merge_bsf.c
index 121f93c0b0..3e1258c6c9 100644
--- a/libavcodec/evc_frame_merge_bsf.c
+++ b/libavcodec/evc_frame_merge_bsf.c
@@ -199,8 +199,16 @@ static int evc_frame_merge_filter(AVBSFContext *bsf, AVPacket *out)
         au_end_found = err;
 
         nalu_size += EVC_NALU_LENGTH_PREFIX_SIZE;
+
+        data_size = ctx->au_buffer.data_size + nalu_size;
+        if (data_size > INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE) {
+            av_log(bsf, AV_LOG_ERROR, "Assembled packet is too big\n");
+            err = AVERROR(ERANGE);
+            goto end;
+        }
+
         buffer = av_fast_realloc(ctx->au_buffer.data, &ctx->au_buffer.capacity,
-                                 ctx->au_buffer.data_size + nalu_size);
+                                 data_size);
         if (!buffer) {
             av_freep(&ctx->au_buffer.data);
             err = AVERROR_INVALIDDATA;
@@ -210,7 +218,7 @@ static int evc_frame_merge_filter(AVBSFContext *bsf, AVPacket *out)
         ctx->au_buffer.data = buffer;
         memcpy(ctx->au_buffer.data + ctx->au_buffer.data_size, in->data, nalu_size);
 
-        ctx->au_buffer.data_size += nalu_size;
+        ctx->au_buffer.data_size = data_size;
 
         in->data += nalu_size;
         in->size -= nalu_size;