[vlc-commits] av1_unpack: check header overflow

Francois Cartegnie git at videolan.org
Tue Apr 27 11:46:48 UTC 2021


vlc/vlc-3.0 | branch: master | Francois Cartegnie <fcvlcdev at free.fr> | Mon Apr 12 13:39:46 2021 +0200| [86e2cdd41557664e2a13b79be4d415ccd61428ea] | committer: Hugo Beauzée-Luyssen

av1_unpack: check header overflow

could trigger -1 offset move

reported by Zhen Zhou of NSFOCUS Security Team

(cherry picked from commit 44200dea8c4d2767886b553a7a5887f2191de88f)
Signed-off-by: Hugo Beauzée-Luyssen <hugo at beauzee.fr>

> http://git.videolan.org/gitweb.cgi/vlc/vlc-3.0.git/?a=commit;h=86e2cdd41557664e2a13b79be4d415ccd61428ea
---

 modules/demux/av1_unpack.h | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/modules/demux/av1_unpack.h b/modules/demux/av1_unpack.h
index af7f056abf..dcaaa85f34 100644
--- a/modules/demux/av1_unpack.h
+++ b/modules/demux/av1_unpack.h
@@ -55,6 +55,8 @@ static inline block_t * AV1_Unpack_Sample_ExpandSize(block_t *p_block)
         if(AV1_OBUHasSizeField(p_obu))
             continue;
         const uint8_t i_header = 1 + AV1_OBUHasExtensionField(p_obu);
+        if(i_header > i_obu)
+            break;
         const uint8_t i_sizelen = leb128_expected(i_obu - i_header);
         const size_t i_obu_offset = p_obu - p_block->p_buffer;
 



More information about the vlc-commits mailing list