From f7a504a0dfac5efd5e1f5bdc1c596fc798ef4c23 Mon Sep 17 00:00:00 2001
From: Nuo Mi <nuomi2021@gmail.com>
Date: Fri, 9 Feb 2024 19:16:30 +0800
Subject: avcodec/vvc_mp4toannexb: more validations for nalu_len

For a corrupted stream, the value of nalu_len read from the extradata is not reliable.
We need to perform additional checks

Fixes: fuzzer timeout
Fixes: 65253/clusterfuzz-testcase-minimized-ffmpeg_BSF_VVC_MP4TOANNEXB_fuzzer-4972412487467008

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
---
 libavcodec/bsf/vvc_mp4toannexb.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/libavcodec/bsf/vvc_mp4toannexb.c b/libavcodec/bsf/vvc_mp4toannexb.c
index 25c3726918..36bdae8f49 100644
--- a/libavcodec/bsf/vvc_mp4toannexb.c
+++ b/libavcodec/bsf/vvc_mp4toannexb.c
@@ -155,10 +155,11 @@ static int vvc_extradata_to_annexb(AVBSFContext *ctx)
         }
 
         for (j = 0; j < cnt; j++) {
-            int nalu_len = bytestream2_get_be16(&gb);
+            const int nalu_len = bytestream2_get_be16(&gb);
 
-            if (4 + AV_INPUT_BUFFER_PADDING_SIZE + nalu_len >
-                SIZE_MAX - new_extradata_size) {
+            if (!nalu_len ||
+                nalu_len > bytestream2_get_bytes_left(&gb) ||
+                4 + AV_INPUT_BUFFER_PADDING_SIZE + nalu_len > SIZE_MAX - new_extradata_size) {
                 ret = AVERROR_INVALIDDATA;
                 goto fail;
             }
-- 
cgit v1.2.3