Skip to content

Commit 90dc7f8

Browse files
committed
fix some exploitable overflows (#994, #997)
1 parent 02daef9 commit 90dc7f8

File tree

3 files changed

+7
-0
lines changed

3 files changed

+7
-0
lines changed

Diff for: include/gpac/tools.h

+1
Original file line numberDiff line numberDiff line change
@@ -1067,6 +1067,7 @@ void gf_fm_request_call(u32 type, u32 param, int *value);
10671067

10681068
/* \endcond */
10691069

1070+
#define ARRAY_LENGTH(a) (sizeof(a) / sizeof((a)[0]))
10701071

10711072
#ifdef __cplusplus
10721073
}

Diff for: src/isomedia/avc_ext.c

+2
Original file line numberDiff line numberDiff line change
@@ -2413,6 +2413,8 @@ GF_Err gf_isom_oinf_read_entry(void *entry, GF_BitStream *bs)
24132413
op->output_layer_set_idx = gf_bs_read_u16(bs);
24142414
op->max_temporal_id = gf_bs_read_u8(bs);
24152415
op->layer_count = gf_bs_read_u8(bs);
2416+
if (op->layer_count > ARRAY_LENGTH(op->layers_info))
2417+
return GF_NON_COMPLIANT_BITSTREAM;
24162418
for (j = 0; j < op->layer_count; j++) {
24172419
op->layers_info[j].ptl_idx = gf_bs_read_u8(bs);
24182420
op->layers_info[j].layer_id = gf_bs_read_int(bs, 6);

Diff for: src/media_tools/av_parsers.c

+4
Original file line numberDiff line numberDiff line change
@@ -2385,6 +2385,10 @@ s32 gf_media_avc_read_sps(const char *sps_data, u32 sps_size, AVCState *avc, u32
23852385
sps->offset_for_non_ref_pic = bs_get_se(bs);
23862386
sps->offset_for_top_to_bottom_field = bs_get_se(bs);
23872387
sps->poc_cycle_length = bs_get_ue(bs);
2388+
if (sps->poc_cycle_length > ARRAY_LENGTH(sps->offset_for_ref_frame)) {
2389+
GF_LOG(GF_LOG_ERROR, GF_LOG_CODING, ("[avc-h264] offset_for_ref_frame overflow from poc_cycle_length\n"));
2390+
goto exit;
2391+
}
23882392
for(i=0; i<sps->poc_cycle_length; i++) sps->offset_for_ref_frame[i] = bs_get_se(bs);
23892393
}
23902394
if (sps->poc_type > 2) {

0 commit comments

Comments
 (0)