[FFmpeg-devel] [PATCH v2 1/3] lavc/hevc_mp4toannexb: Fix integer overflow

Andreas Rheinhardt andreas.rheinhardt at gmail.com
Wed Dec 4 02:26:30 EET 2019 

On Wed, Dec 4, 2019 at 1:04 AM Andriy Gelman <andriy.gelman at gmail.com>
wrote:

> From: Andriy Gelman <andriy.gelman at gmail.com>
>
> Check packet grow size against INT_MAX instead of SIZE_MAX.
>
> Found with libFuzzer:
> 4294967044 cannot be represented as int.
>
> Signed-off-by: Andriy Gelman <andriy.gelman at gmail.com>
> ---
>  libavcodec/hevc_mp4toannexb_bsf.c | 6 +++---
>  1 file changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/libavcodec/hevc_mp4toannexb_bsf.c
> b/libavcodec/hevc_mp4toannexb_bsf.c
> index 09bce5b34c2..bf4c25b3b7b 100644
> --- a/libavcodec/hevc_mp4toannexb_bsf.c
> +++ b/libavcodec/hevc_mp4toannexb_bsf.c
> @@ -66,7 +66,7 @@ static int hevc_extradata_to_annexb(AVBSFContext *ctx)
>          for (j = 0; j < cnt; j++) {
>              int nalu_len = bytestream2_get_be16(&gb);
>
> -            if (4 + AV_INPUT_BUFFER_PADDING_SIZE + nalu_len > SIZE_MAX -
> new_extradata_size) {
> +            if (4 + AV_INPUT_BUFFER_PADDING_SIZE + nalu_len > INT_MAX -
> new_extradata_size) {
>

There is actually FF_MAX_EXTRADATA_SIZE constant to limit the size of
extradata (it is chosen so small that one can parse the extradata via a
GetBitContext). (But honestly, it is not used consistently.)


>                  ret = AVERROR_INVALIDDATA;
>                  goto fail;
>              }
> @@ -152,8 +152,8 @@ static int hevc_mp4toannexb_filter(AVBSFContext *ctx,
> AVPacket *out)
>          extra_size    = add_extradata * ctx->par_out->extradata_size;
>          got_irap     |= is_irap;
>
> -        if (SIZE_MAX - nalu_size < 4 ||
> -            SIZE_MAX - 4 - nalu_size < extra_size) {
> +        if (INT_MAX < 4 + (uint64_t)nalu_size ||
>

The cast is unnecessary: INT_MAX - 4 < nalu_size does the same. And INT_MAX
- 4 can even be computed at compile-time.


> +            INT_MAX - 4 < extra_size + (uint64_t)nalu_size) {
>

If you check that the extradata is not too big (namely <= INT_MAX - 4),
then you can simplify this to INT_MAX - 4 - extra_size < nalu_size. The
left side is positive, so it does not wrap around when converting it to
uint32_t. This makes the first check superfluous.

But it only checks for overflow, not for the scenario of a NAL unit
extending beyond the input packet.

             ret = AVERROR_INVALIDDATA;
>              goto fail;
>          }
>
>

More information about the ffmpeg-devel mailing list