From bdb4b64f16b75c4d4cd88c0755aa6111cadaa602 Mon Sep 17 00:00:00 2001
From: Zhao Zhili <zhilizhao@tencent.com>
Date: Tue, 13 Jun 2023 15:37:16 +0800
Subject: [PATCH] avcodec/hevc_parse: check the size of hvcC is at least 23

The code after the check skip 21 bytes and then read two bytes.

Signed-off-by: Zhao Zhili <zhilizhao@tencent.com>
---
 libavcodec/hevc_parse.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/libavcodec/hevc_parse.c b/libavcodec/hevc_parse.c
index 1f3beed183..7bc28fd081 100644
--- a/libavcodec/hevc_parse.c
+++ b/libavcodec/hevc_parse.c
@@ -88,8 +88,10 @@ int ff_hevc_decode_extradata(const uint8_t *data, int size, HEVCParamSets *ps,
 
     /* data[0] == 1 is configurationVersion from 14496-15.
      * data[0] == 0 is for backward compatibility predates the standard.
+     *
+     * Minimum number of bytes of hvcC with 0 numOfArrays is 23.
      */
-    if (size > 3 && ((data[0] == 1) || (data[0] == 0 && (data[1] || data[2] > 1)))) {
+    if (size >= 23 && ((data[0] == 1) || (data[0] == 0 && (data[1] || data[2] > 1)))) {
         /* It seems the extradata is encoded as hvcC format. */
         int i, j, num_arrays, nal_len_size;