From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100])
	by master.gitmailbox.com (Postfix) with ESMTP id 3F78746888
	for <ffmpegdev@gitmailbox.com>; Thu, 22 Jun 2023 19:29:44 +0000 (UTC)
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 08CC368C1AE;
	Thu, 22 Jun 2023 22:29:42 +0300 (EEST)
Received: from mail-oa1-f46.google.com (mail-oa1-f46.google.com
 [209.85.160.46])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 3878F6801DB
 for <ffmpeg-devel@ffmpeg.org>; Thu, 22 Jun 2023 22:29:35 +0300 (EEST)
Received: by mail-oa1-f46.google.com with SMTP id
 586e51a60fabf-1a9ae7cc01dso5383546fac.3
 for <ffmpeg-devel@ffmpeg.org>; Thu, 22 Jun 2023 12:29:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20221208; t=1687462173; x=1690054173;
 h=content-transfer-encoding:mime-version:message-id:date:subject:to
 :from:from:to:cc:subject:date:message-id:reply-to;
 bh=3eQtO1yE5FEvfkVOqvwI52OOxA/OcmzccUEjQD151So=;
 b=r4ydjbyf1XJcJmXDk+q/0TQM70r4Gj0ts5yQpkm08kEImumOXGhh4NGMF+ILuvrfXO
 /MsMrkx8lni8G2neANvFdQcbAaKEZgrin+R+tg62COv5TLnuho7p18Cr+PuMRV6vcNrS
 Hky5Ue15Yf2XmVmJnamYdPlhxUoHd3UhGvrImjlnLfOLYjwsHmIytt3/Tww66KDBv1LS
 OBfoxJtTl1SeSpMcIE5LJNNER8H/vFVkx0ER5w3L0RTi0jNBoof988UNPaSbJY2CdwEo
 zS409AU5H2khCdzqYE/yRyId7qCAdkF0c0v1SSkWiPV0SzfXzVmhhpB7jv94bcFC0NjB
 5GbQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20221208; t=1687462173; x=1690054173;
 h=content-transfer-encoding:mime-version:message-id:date:subject:to
 :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
 bh=3eQtO1yE5FEvfkVOqvwI52OOxA/OcmzccUEjQD151So=;
 b=SZs6c0zNzlFOx5RA8TaQ5LyzHXzR+bcNqqQgiWuIuja3upD+frFfcGdY4GIo73OGA1
 XSauWXdDE2kyqrT4C2Qjmdl+70wmul2+3hlLq/EhNjYCsTrF50IYup/sIRUqZNz8RjnG
 QTZcSG7FgEvwXTrfIQqiy9Hg/ApmqBTOgdr5NUN8xyvCU+7hy75Mr3AToSjPT8+cOJaZ
 rO8ZEcyQDM8pRdCu/obBPNGmN+jw4a6txBCSz6vBAHtMu/C8VUddRt035KA23tBEosU9
 beV7URfFVcQtTmkX58sR0onkHG3oVysm2tBaBw29AJBL7nUAt25Xqdj0xvKlFZvN+CMG
 l2TQ==
X-Gm-Message-State: AC+VfDxM81EUAAfQZksS++GewMH1DkNkBOnoTVmCxVYKk06ntSwwTtdu
 hpcqFVw6CiSD5dmN76NmD/prgq7COJM=
X-Google-Smtp-Source: ACHHUZ7xMvA1z5VXtYjt78PUkbGMdGcRrWZGXZg9YqZz+VGCn+GkcAVe7KpCcU82B3UtOzvfFrEsgA==
X-Received: by 2002:a05:6870:56a8:b0:180:857:d47d with SMTP id
 p40-20020a05687056a800b001800857d47dmr18173283oao.57.1687462173081; 
 Thu, 22 Jun 2023 12:29:33 -0700 (PDT)
Received: from localhost.localdomain (host197.190-225-105.telecom.net.ar.
 [190.225.105.197]) by smtp.gmail.com with ESMTPSA id
 w17-20020a9d6391000000b006ac75cff491sm3124631otk.3.2023.06.22.12.29.31
 for <ffmpeg-devel@ffmpeg.org>
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Thu, 22 Jun 2023 12:29:32 -0700 (PDT)
From: James Almer <jamrial@gmail.com>
To: ffmpeg-devel@ffmpeg.org
Date: Thu, 22 Jun 2023 16:29:14 -0300
Message-ID: <20230622192918.3638-1-jamrial@gmail.com>
X-Mailer: git-send-email 2.41.0
MIME-Version: 1.0
Subject: [FFmpeg-devel] [PATCH 1/5] avcodec/evc_frame_merge: ensure the
 assembled buffer fits in an AVPacket
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>
Archived-At: <https://master.gitmailbox.com/ffmpegdev/20230622192918.3638-1-jamrial@gmail.com/>
List-Archive: <https://master.gitmailbox.com/ffmpegdev/>
List-Post: <mailto:ffmpegdev@gitmailbox.com>

Signed-off-by: James Almer <jamrial@gmail.com>
---
 libavcodec/evc_frame_merge_bsf.c | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/libavcodec/evc_frame_merge_bsf.c b/libavcodec/evc_frame_merge_bsf.c
index 121f93c0b0..3e1258c6c9 100644
--- a/libavcodec/evc_frame_merge_bsf.c
+++ b/libavcodec/evc_frame_merge_bsf.c
@@ -199,8 +199,16 @@ static int evc_frame_merge_filter(AVBSFContext *bsf, AVPacket *out)
         au_end_found = err;
 
         nalu_size += EVC_NALU_LENGTH_PREFIX_SIZE;
+
+        data_size = ctx->au_buffer.data_size + nalu_size;
+        if (data_size > INT_MAX - AV_INPUT_BUFFER_PADDING_SIZE) {
+            av_log(bsf, AV_LOG_ERROR, "Assembled packet is too big\n");
+            err = AVERROR(ERANGE);
+            goto end;
+        }
+
         buffer = av_fast_realloc(ctx->au_buffer.data, &ctx->au_buffer.capacity,
-                                 ctx->au_buffer.data_size + nalu_size);
+                                 data_size);
         if (!buffer) {
             av_freep(&ctx->au_buffer.data);
             err = AVERROR_INVALIDDATA;
@@ -210,7 +218,7 @@ static int evc_frame_merge_filter(AVBSFContext *bsf, AVPacket *out)
         ctx->au_buffer.data = buffer;
         memcpy(ctx->au_buffer.data + ctx->au_buffer.data_size, in->data, nalu_size);
 
-        ctx->au_buffer.data_size += nalu_size;
+        ctx->au_buffer.data_size = data_size;
 
         in->data += nalu_size;
         in->size -= nalu_size;
-- 
2.41.0

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".