diff options
| author | Michael Niedermayer <michael@niedermayer.cc> | 2016-08-18 20:41:31 +0200 |
|---|---|---|
| committer | Michael Niedermayer <michael@niedermayer.cc> | 2016-08-18 23:36:18 +0200 |
| commit | cc13bc8c4f0f4afa30d0b94c3f3a369ccd2aaf0b (patch) | |
| tree | cc951b2cf772d43ea307d0fb7bced2a8325a1763 /libavcodec/h2645_parse.c | |
| parent | e2a39b103e5917780744fed6fd4336cf65a220f4 (diff) | |
| download | ffmpeg-cc13bc8c4f0f4afa30d0b94c3f3a369ccd2aaf0b.tar.gz | |
avcodec/h2645: Fix NAL unit padding
The parser changes have lost the support for the needed padding, this adds it back
Fixes out of array reads
Fixes: 03ea21d271abc8acf428d42ace51d8b4/asan_heap-oob_3358eef_5692_16f0cc01ab5225e9ce591659e5c20e35.mkv
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Diffstat (limited to 'libavcodec/h2645_parse.c')
| -rw-r--r-- | libavcodec/h2645_parse.c | 11 |
1 files changed, 6 insertions, 5 deletions
diff --git a/libavcodec/h2645_parse.c b/libavcodec/h2645_parse.c index ef872fe88c..4ed4c9a3a2 100644 --- a/libavcodec/h2645_parse.c +++ b/libavcodec/h2645_parse.c @@ -30,10 +30,11 @@ #include "h2645_parse.h" int ff_h2645_extract_rbsp(const uint8_t *src, int length, - H2645NAL *nal) + H2645NAL *nal, int small_padding) { int i, si, di; uint8_t *dst; + int64_t padding = small_padding ? AV_INPUT_BUFFER_PADDING_SIZE : MAX_MBPAIR_SIZE; nal->skipped_bytes = 0; #define STARTCODE_TEST \ @@ -81,7 +82,7 @@ int ff_h2645_extract_rbsp(const uint8_t *src, int length, } #endif /* HAVE_FAST_UNALIGNED */ - if (i >= length - 1) { // no escaped 0 + if (i >= length - 1 && small_padding) { // no escaped 0 nal->data = nal->raw_data = src; nal->size = @@ -90,7 +91,7 @@ int ff_h2645_extract_rbsp(const uint8_t *src, int length, } av_fast_malloc(&nal->rbsp_buffer, &nal->rbsp_buffer_size, - length + AV_INPUT_BUFFER_PADDING_SIZE); + length + padding); if (!nal->rbsp_buffer) return AVERROR(ENOMEM); @@ -247,7 +248,7 @@ static int h264_parse_nal_header(H2645NAL *nal, void *logctx) int ff_h2645_packet_split(H2645Packet *pkt, const uint8_t *buf, int length, void *logctx, int is_nalff, int nal_length_size, - enum AVCodecID codec_id) + enum AVCodecID codec_id, int small_padding) { int consumed, ret = 0; const uint8_t *next_avc = is_nalff ? buf : buf + length; @@ -325,7 +326,7 @@ int ff_h2645_packet_split(H2645Packet *pkt, const uint8_t *buf, int length, } nal = &pkt->nals[pkt->nb_nals]; - consumed = ff_h2645_extract_rbsp(buf, extract_length, nal); + consumed = ff_h2645_extract_rbsp(buf, extract_length, nal, small_padding); if (consumed < 0) return consumed; |