avcodec/hevc: Check entry_point_offsets
authorMichael Niedermayer <michael@niedermayer.cc>
Fri, 27 Nov 2015 17:30:05 +0000 (18:30 +0100)
committerMichael Niedermayer <michael@niedermayer.cc>
Mon, 14 Dec 2015 15:51:00 +0000 (16:51 +0100)
Fixes out of array read
Fixes: 007c4a36608ebdf27ee260ad60a81184/asan_heap-oob_32076b4_2243_116b1cb29d91cc4974d6680e3d10bd91.bit

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit ef9f7bbfa47317f9d46bf46982a394d2be78503c)

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
libavcodec/hevc.c

index 05e7f12..8e7e736 100644 (file)
@@ -2426,7 +2426,7 @@ static int hls_slice_data_wpp(HEVCContext *s, const uint8_t *nal, int length)
     HEVCLocalContext *lc = s->HEVClc;
     int *ret = av_malloc_array(s->sh.num_entry_point_offsets + 1, sizeof(int));
     int *arg = av_malloc_array(s->sh.num_entry_point_offsets + 1, sizeof(int));
-    int offset;
+    int64_t offset;
     int startheader, cmpt = 0;
     int i, j, res = 0;
 
@@ -2473,6 +2473,11 @@ static int hls_slice_data_wpp(HEVCContext *s, const uint8_t *nal, int length)
     }
     if (s->sh.num_entry_point_offsets != 0) {
         offset += s->sh.entry_point_offset[s->sh.num_entry_point_offsets - 1] - cmpt;
+        if (length < offset) {
+            av_log(s->avctx, AV_LOG_ERROR, "entry_point_offset table is corrupted\n");
+            res = AVERROR_INVALIDDATA;
+            goto error;
+        }
         s->sh.size[s->sh.num_entry_point_offsets - 1] = length - offset;
         s->sh.offset[s->sh.num_entry_point_offsets - 1] = offset;
 
@@ -2499,6 +2504,7 @@ static int hls_slice_data_wpp(HEVCContext *s, const uint8_t *nal, int length)
 
     for (i = 0; i <= s->sh.num_entry_point_offsets; i++)
         res += ret[i];
+error:
     av_free(ret);
     av_free(arg);
     return res;