From b9f7c9b2723f44aa7850c24f9dcbb6a4e3ac555f Mon Sep 17 00:00:00 2001 From: James Almer Date: Sun, 6 Dec 2020 12:30:13 -0300 Subject: [PATCH] avcodec/hevc_sei: keep size in sync with the registered ITU-T T35 SEI GetBitContext Signed-off-by: James Almer --- libavcodec/hevc_sei.c | 21 ++++++++++++++++----- 1 file changed, 16 insertions(+), 5 deletions(-) diff --git a/libavcodec/hevc_sei.c b/libavcodec/hevc_sei.c index 8af9f9b29d..159ef5830a 100644 --- a/libavcodec/hevc_sei.c +++ b/libavcodec/hevc_sei.c @@ -241,9 +241,9 @@ static int decode_nal_sei_user_data_registered_itu_t_t35(HEVCSEI *s, GetBitConte uint8_t country_code = 0; uint16_t provider_code = 0; - if (size < 7) + if (size < 3) return AVERROR(EINVAL); - size -= 7; + size -= 3; country_code = get_bits(gb, 8); if (country_code == 0xFF) { @@ -258,16 +258,27 @@ static int decode_nal_sei_user_data_registered_itu_t_t35(HEVCSEI *s, GetBitConte // A/341 Amendment - 2094-40 const uint16_t smpte2094_40_provider_oriented_code = 0x0001; const uint8_t smpte2094_40_application_identifier = 0x04; + uint16_t provider_oriented_code; + uint8_t application_identifier; - uint16_t provider_oriented_code = get_bits(gb, 16); - uint8_t application_identifier = get_bits(gb, 8); + if (size < 3) + return AVERROR(EINVAL); + size -= 3; + provider_oriented_code = get_bits(gb, 16); + application_identifier = get_bits(gb, 8); if (provider_oriented_code == smpte2094_40_provider_oriented_code && application_identifier == smpte2094_40_application_identifier) { return decode_registered_user_data_dynamic_hdr_plus(&s->dynamic_hdr_plus, gb, size); } } else { - uint32_t user_identifier = get_bits_long(gb, 32); + uint32_t user_identifier; + + if (size < 4) + return AVERROR(EINVAL); + size -= 4; + + user_identifier = get_bits_long(gb, 32); switch (user_identifier) { case MKBETAG('G', 'A', '9', '4'): return decode_registered_user_data_closed_caption(&s->a53_caption, gb, size);