[vlc-commits] av1_unpack: check header overflow
Francois Cartegnie
git at videolan.org
Tue Apr 27 11:46:48 UTC 2021
vlc/vlc-3.0 | branch: master | Francois Cartegnie <fcvlcdev at free.fr> | Mon Apr 12 13:39:46 2021 +0200| [86e2cdd41557664e2a13b79be4d415ccd61428ea] | committer: Hugo Beauzée-Luyssen
av1_unpack: check header overflow
could trigger -1 offset move
reported by Zhen Zhou of NSFOCUS Security Team
(cherry picked from commit 44200dea8c4d2767886b553a7a5887f2191de88f)
Signed-off-by: Hugo Beauzée-Luyssen <hugo at beauzee.fr>
> http://git.videolan.org/gitweb.cgi/vlc/vlc-3.0.git/?a=commit;h=86e2cdd41557664e2a13b79be4d415ccd61428ea
---
modules/demux/av1_unpack.h | 2 ++
1 file changed, 2 insertions(+)
diff --git a/modules/demux/av1_unpack.h b/modules/demux/av1_unpack.h
index af7f056abf..dcaaa85f34 100644
--- a/modules/demux/av1_unpack.h
+++ b/modules/demux/av1_unpack.h
@@ -55,6 +55,8 @@ static inline block_t * AV1_Unpack_Sample_ExpandSize(block_t *p_block)
if(AV1_OBUHasSizeField(p_obu))
continue;
const uint8_t i_header = 1 + AV1_OBUHasExtensionField(p_obu);
+ if(i_header > i_obu)
+ break;
const uint8_t i_sizelen = leb128_expected(i_obu - i_header);
const size_t i_obu_offset = p_obu - p_block->p_buffer;
More information about the vlc-commits
mailing list