Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

A Integer number overflow in function hevc_parse_slice_segment. #1721

Closed
treebacker opened this issue Mar 29, 2021 · 1 comment
Closed

A Integer number overflow in function hevc_parse_slice_segment. #1721

treebacker opened this issue Mar 29, 2021 · 1 comment

Comments

@treebacker
Copy link

treebacker commented Mar 29, 2021

There is a integer overflow in media_tools/av_parsers.c:6568, function hevc_parse_slice_segment.
Below code:
`
pps_id = gf_bs_read_ue_log(bs, "pps_id");
if (pps_id >= 64)
return -1;

pps = &hevc->pps[pps_id];
sps = &hevc->sps[pps->sps_id];
si->sps = sps;
si->pps = pps;

`
However, function may return a negative number to pps_id, which smaller than 64.
Results a crash in followed execution.

In command Line:
gpac -info bug4
bug4_cmd

In gdb:
bug4

The crafted file is in the attached zip:
bug4.zip

@jeanlf
Copy link
Contributor

jeanlf commented Mar 29, 2021

could not reproduce crash with latest master, but added safety checks. Thanks for the report

@jeanlf jeanlf closed this as completed Mar 29, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants