RepoMirrors/ffmpeg
1
0
Fork 0
mirror of https://git.ffmpeg.org/ffmpeg.git synced 2025-03-08 13:38:07 +00:00
Code Issues Projects Releases Wiki Activity

lavc/vvc: Fix buffer overread in CABAC

Browse Source 
The size variable here is taken as gospel for the bounds of the input
buffer in later logic.  Clamp it to ensure that the returned region
does not extend past that allocated in the underlying GetBitContext,
even in the case entry point offsets are signalled in the bitstream.
Also assert this for good measure.

Signed-off-by: Frank Plowman <post@frankplowman.com>
This commit is contained in:
Frank Plowman 2024-04-09 07:55:11 +00:00 committed by Nuo Mi
parent f499503073
commit fcf74c5ebc
1 changed files with 2 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
libavcodec/vvc/dec.c
View File

@ -497,9 +497,11 @@ static void ep_init_cabac_decoder(SliceContext *sc, const int index,
skipped++;
}
size = end - start;
size = av_clip(size, 0, get_bits_left(gb) / 8);
} else {
size = get_bits_left(gb) / 8;
}
av_assert0(gb->buffer + get_bits_count(gb) / 8 + size <= gb->buffer_end);
ff_init_cabac_decoder (&ep->cc, gb->buffer + get_bits_count(gb) / 8, size);
skip_bits(gb, size * 8);
}