avcodec/hevc_mp4toannexb_bsf: check that nalu size doesnt overflow

Fixes: Out of array access Fixes: 19299/clusterfuzz-testcase-minimized-ffmpeg_BSF_HEVC_MP4TOANNEXB_fuzzer-5169193398042624 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpegSigned-off-by: Michael Niedermayer <michael@niedermayer.cc>

avcodec/hevc_mp4toannexb_bsf: check that nalu size doesnt overflow
Fixes: Out of array access Fixes: 19299/clusterfuzz-testcase-minimized-ffmpeg_BSF_HEVC_MP4TOANNEXB_fuzzer-5169193398042624 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpegSigned-off-by: Michael Niedermayer <michael@niedermayer.cc>
a8ceb2a7 · Michael Niedermayer · 1e23b5a7 · a8ceb2a7
Commit a8ceb2a7 authored Dec 12, 2019 by Michael Niedermayer
Hide whitespace changes
Inline Side-by-side

Showing with 1 addition and 2 deletions

hevc_mp4toannexb_bsf.c libavcodec/hevc_mp4toannexb_bsf.c +1 -2

No files found.
--- a/libavcodec/hevc_mp4toannexb_bsf.c
+++ b/libavcodec/hevc_mp4toannexb_bsf.c
@@ -152,8 +152,7 @@ static int hevc_mp4toannexb_filter(AVBSFContext *ctx, AVPacket *out)
        extra_size    = add_extradata * ctx->par_out->extradata_size;
        got_irap     |= is_irap;

-        if (SIZE_MAX - nalu_size < 4 ||
-            SIZE_MAX - 4 - nalu_size < extra_size) {
+        if (FFMIN(INT_MAX, SIZE_MAX) < 4ULL + nalu_size + extra_size) {
            ret = AVERROR_INVALIDDATA;
            goto fail;
        }