From fcf74c5ebc520a53758eb410003fc8e814873053 Mon Sep 17 00:00:00 2001
From: Frank Plowman <post@frankplowman.com>
Date: Tue, 9 Apr 2024 07:55:11 +0000
Subject: [PATCH] lavc/vvc: Fix buffer overread in CABAC

The size variable here is taken as gospel for the bounds of the input
buffer in later logic.  Clamp it to ensure that the returned region
does not extend past that allocated in the underlying GetBitContext,
even in the case entry point offsets are signalled in the bitstream.
Also assert this for good measure.

Signed-off-by: Frank Plowman <post@frankplowman.com>
---
 libavcodec/vvc/dec.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/libavcodec/vvc/dec.c b/libavcodec/vvc/dec.c
index 27ffbb741d..a4fc40b40a 100644
--- a/libavcodec/vvc/dec.c
+++ b/libavcodec/vvc/dec.c
@@ -497,9 +497,11 @@ static void ep_init_cabac_decoder(SliceContext *sc, const int index,
             skipped++;
         }
         size = end - start;
+        size = av_clip(size, 0, get_bits_left(gb) / 8);
     } else {
         size = get_bits_left(gb) / 8;
     }
+    av_assert0(gb->buffer + get_bits_count(gb) / 8 + size <= gb->buffer_end);
     ff_init_cabac_decoder (&ep->cc, gb->buffer + get_bits_count(gb) / 8, size);
     skip_bits(gb, size * 8);
 }