libavcodec/bsf · e54591369f15462c2d44aa151f605a095b933ae7 · Stefan Westerfeld / ffmpeg

avcodec/h264_mp4toannexb: Fix heap buffer overflow · 89e9486b

Zhao Zhili authored Mar 25, 2024

Fixes: out of array write
Fixes: 64407/clusterfuzz-testcase-minimized-ffmpeg_BSF_H264_MP4TOANNEXB_fuzzer-4966763443650560

mp4toannexb_filter counts the number of bytes needed in the first
pass and allocate the memory, then do memcpy in the second pass.
Update sps/pps size in the loop makes the count invalid in the
case of SPS/PPS occur after IDR slice. This patch process in-band
SPS/PPS before the two pass loops.
Signed-off-by: Zhao Zhili <zhilizhao@tencent.com>

89e9486b

Name	Last commit	Last update
..
Makefile		Loading commit data...
aac_adtstoasc.c		Loading commit data...
av1_frame_merge.c		Loading commit data...
av1_frame_split.c		Loading commit data...
av1_metadata.c		Loading commit data...
chomp.c		Loading commit data...
dca_core.c		Loading commit data...
dts2pts.c		Loading commit data...
dump_extradata.c		Loading commit data...
dv_error_marker.c		Loading commit data...
eac3_core.c		Loading commit data...
evc_frame_merge.c		Loading commit data...
extract_extradata.c		Loading commit data...
filter_units.c		Loading commit data...
h264_metadata.c		Loading commit data...
h264_mp4toannexb.c		Loading commit data...
h264_redundant_pps.c		Loading commit data...
h265_metadata.c		Loading commit data...
h266_metadata.c		Loading commit data...
hapqa_extract.c		Loading commit data...
hevc_mp4toannexb.c		Loading commit data...
imx_dump_header.c		Loading commit data...
media100_to_mjpegb.c		Loading commit data...
mjpeg2jpeg.c		Loading commit data...
mjpega_dump_header.c		Loading commit data...
movsub.c		Loading commit data...
mpeg2_metadata.c		Loading commit data...
mpeg4_unpack_bframes.c		Loading commit data...
noise.c		Loading commit data...
null.c		Loading commit data...
opus_metadata.c		Loading commit data...
pcm_rechunk.c		Loading commit data...
pgs_frame_merge.c		Loading commit data...
prores_metadata.c		Loading commit data...
remove_extradata.c		Loading commit data...
setts.c		Loading commit data...
showinfo.c		Loading commit data...
trace_headers.c		Loading commit data...
truehd_core.c		Loading commit data...
vp9_metadata.c		Loading commit data...
vp9_raw_reorder.c		Loading commit data...
vp9_superframe.c		Loading commit data...
vp9_superframe_split.c		Loading commit data...
vvc_mp4toannexb.c		Loading commit data...