avcodec/lcevc_parser: Check that block_size is not negative

Based on 248b481c33

Signed-off-by: James Almer <jamrial@gmail.com>

libavcodec/bsf/extract_extradata.c

@@ -30,6 +30,7 @@
 #include "h2645_parse.h"
 #include "h264.h"
 #include "lcevc.h"
+#include "lcevc_parse.h"
 #include "startcode.h"
 #include "vc1_common.h"
 #include "vvc.h"
@@ -268,22 +269,6 @@ static int extract_extradata_h2645(AVBSFContext *ctx, AVPacket *pkt,
     return 0;
 }
 
-static inline uint64_t get_mb(GetBitContext *s) {
-    int more, i = 0;
-    uint64_t mb = 0;
-
-    do {
-        int byte = get_bits(s, 8);
-        unsigned bits = byte & 0x7f;
-        more = byte & 0x80;
-        mb = (mb << 7) | bits;
-        if (++i == 10)
-            break;
-    } while (more);
-
-    return mb;
-}
-
 /**
  * Rewrite the NALu stripping the unneeded blocks.
  * Given that length fields coded inside the NALu are not aware of any emulation_3bytes

libavcodec/lcevc_parse.h

@@ -0,0 +1,42 @@
+/*
+ * This file is part of FFmpeg.
+ *
+ * FFmpeg is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * FFmpeg is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with FFmpeg; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+ */
+
+#ifndef AVCODEC_LCEVC_PARSE_H
+#define AVCODEC_LCEVC_PARSE_H
+
+#include <stdint.h>
+
+#include "get_bits.h"
+
+static inline uint64_t get_mb(GetBitContext *s) {
+    int more, i = 0;
+    uint64_t mb = 0;
+
+    do {
+        int byte = get_bits(s, 8);
+        unsigned bits = byte & 0x7f;
+        more = byte & 0x80;
+        mb = (mb << 7) | bits;
+        if (++i == 10)
+            break;
+    } while (more);
+
+    return mb;
+}
+
+#endif /* AVCODEC_LCEVC_PARSE_H */

libavcodec/lcevc_parser.c

@@ -25,6 +25,7 @@
 #include "get_bits.h"
 #include "h2645_parse.h"
 #include "lcevc.h"
+#include "lcevc_parse.h"
 #include "parser.h"
 #include "parser_internal.h"
 
@@ -100,22 +101,6 @@ static const struct {
     { 7680, 4800 },
 };
 
-static inline uint64_t get_mb(GetBitContext *s) {
-    int more, i = 0;
-    uint64_t mb = 0;
-
-    do {
-        int byte = get_bits(s, 8);
-        unsigned bits = byte & 0x7f;
-        more = byte & 0x80;
-        mb = (mb << 7) | bits;
-        if (++i == 10)
-            break;
-    } while (more);
-
-    return mb;
-}
-
 static int parse_nal_unit(AVCodecParserContext *s, AVCodecContext *avctx,
                           const H2645NAL *nal)
 {
@@ -125,7 +110,8 @@ static int parse_nal_unit(AVCodecParserContext *s, AVCodecContext *avctx,
 
     while (bytestream2_get_bytes_left(&gbc) > 1) {
         GetBitContext gb;
-        int payload_size_type, payload_type, payload_size;
+        uint64_t payload_size;
+        int payload_size_type, payload_type;
         int block_size;
 
         init_get_bits8(&gb, gbc.buffer, bytestream2_get_bytes_left(&gbc));
@@ -138,6 +124,9 @@ static int parse_nal_unit(AVCodecParserContext *s, AVCodecContext *avctx,
         if (payload_size_type == 7)
             payload_size = get_mb(&gb);
 
+        if (payload_size > INT_MAX - (get_bits_count(&gb) >> 3))
+            return AVERROR_INVALIDDATA;
+
         block_size = payload_size + (get_bits_count(&gb) >> 3);
         if (block_size >= bytestream2_get_bytes_left(&gbc))
             return AVERROR_INVALIDDATA;