From 991ef6e5b9a6a9d95e274ff6bff52db1c82b3808 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Fri, 15 Dec 2017 17:50:12 +0100 Subject: [PATCH] avcodec/hevc_sei: Fix integer overflows in decode_nal_sei_message() Fixes: signed integer overflow: 2147483520 + 255 cannot be represented in type 'int' Fixes: 4554/clusterfuzz-testcase-minimized-4843714515042304 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer --- libavcodec/hevc_sei.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libavcodec/hevc_sei.c b/libavcodec/hevc_sei.c index 8dd975508a..c59bd4321e 100644 --- a/libavcodec/hevc_sei.c +++ b/libavcodec/hevc_sei.c @@ -324,11 +324,15 @@ static int decode_nal_sei_message(GetBitContext *gb, void *logctx, HEVCSEI *s, av_log(logctx, AV_LOG_DEBUG, "Decoding SEI\n"); while (byte == 0xFF) { + if (get_bits_left(gb) < 16 || payload_type > INT_MAX - 255) + return AVERROR_INVALIDDATA; byte = get_bits(gb, 8); payload_type += byte; } byte = 0xFF; while (byte == 0xFF) { + if (get_bits_left(gb) < 8 + 8LL*payload_size) + return AVERROR_INVALIDDATA; byte = get_bits(gb, 8); payload_size += byte; }