videolan
/
vlc
mirror of https://code.videolan.org/videolan/vlc
1
Fork 0
Code Releases Activity

av1_unpack: check header overflow 

could trigger -1 offset move

reported by Zhen Zhou of NSFOCUS Security Team
This commit is contained in:
Francois Cartegnie 2021-04-12 13:39:46 +02:00 committed by Hugo Beauzée-Luyssen
parent f43cad135a
commit 44200dea8c
1 changed files with 2 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
modules/demux/av1_unpack.h
View File

@ -55,6 +55,8 @@ static inline block_t * AV1_Unpack_Sample_ExpandSize(block_t *p_block)
if(AV1_OBUHasSizeField(p_obu))
continue;
const uint8_t i_header = 1 + AV1_OBUHasExtensionField(p_obu);
if(i_header > i_obu)
break;
const uint8_t i_sizelen = leb128_expected(i_obu - i_header);
const size_t i_obu_offset = p_obu - p_block->p_buffer;