Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
In media_tools/av_parsers.c, function gf_hevc_read_pps_bs_internal. There is a loop as below: `
media_tools/av_parsers.c
gf_hevc_read_pps_bs_internal
pps->num_tile_columns = 1 + gf_bs_read_ue_log(bs, "num_tile_columns_minus1"); pps->num_tile_rows = 1 + gf_bs_read_ue_log(bs, "num_tile_rows_minus1"); pps->uniform_spacing_flag = gf_bs_read_int_log(bs, 1, "uniform_spacing_flag"); if (!pps->uniform_spacing_flag) { for (i = 0; i < pps->num_tile_columns - 1; i++) { pps->column_width[i] = 1 + gf_bs_read_ue_log_idx(bs, "column_width_minus1", i); }
` However, with crafted file, pps->num_tile_columns may be larger than sizeof(pps->column_width), which results a heap overflow in the loop.
In Command line: gpac -info bug5
In gdb:
The crafted file is in the attached zip: bug5.zip
The text was updated successfully, but these errors were encountered:
add safety in avc/hevc/vvc sps/pps/vps ID check - cf #1720 #1721 #1722
51cdb67
could not reproduce crash with latest master, but added safety checks. Thanks for the report
Sorry, something went wrong.
No branches or pull requests
In
media_tools/av_parsers.c, functiongf_hevc_read_pps_bs_internal.There is a loop as below:
`
`
However, with crafted file, pps->num_tile_columns may be larger than sizeof(pps->column_width), which results a heap overflow in the loop.
In Command line:

gpac -info bug5
In gdb:

The crafted file is in the attached zip:
bug5.zip
The text was updated successfully, but these errors were encountered: