avcodec/hevc/hevcdec: Check num_entry_point_offsets

The code uses int, unsigned int and uint16_t to store num_entry_point_offsets This limits it to the smallest of the 3. Alternatively uint16_t can be changed and then a larger limit used. A Check will still be needed. Fixes: 391974932/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-5966648879677440 Fixes: signed integer overflow: 2147483647 + 1 cannot be represented in type 'int' Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 791a333a0e) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2026-02-04 14:30:55 +08:00 · 2025-05-08 23:57:33 +02:00
parent 14fc61da71
commit ce49290d31
1 changed files with 1 additions and 1 deletions
--- a/libavcodec/hevc/hevcdec.c
+++ b/libavcodec/hevc/hevcdec.c
@@ -1048,7 +1048,7 @@ static int hls_slice_header(SliceHeader *sh, const HEVCContext *s, GetBitContext
    if (pps->tiles_enabled_flag || pps->entropy_coding_sync_enabled_flag) {
        unsigned num_entry_point_offsets = get_ue_golomb_long(gb);
        // It would be possible to bound this tighter but this here is simpler
-        if (num_entry_point_offsets > get_bits_left(gb)) {
+        if (num_entry_point_offsets > get_bits_left(gb) || num_entry_point_offsets > UINT16_MAX) {
            av_log(s->avctx, AV_LOG_ERROR, "num_entry_point_offsets %d is invalid\n", num_entry_point_offsets);
            return AVERROR_INVALIDDATA;
        }