From fd6125c4dd4ff972d1609163cd36e2b38c845d75 Mon Sep 17 00:00:00 2001
From: sauwming <ming@teluu.com>
Date: Tue, 14 Mar 2023 10:25:46 +0800
Subject: [PATCH] Fixed buffer overflow in h264 unpacketizer (#3434)

---
 pjmedia/src/pjmedia-codec/h264_packetizer.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/pjmedia/src/pjmedia-codec/h264_packetizer.c b/pjmedia/src/pjmedia-codec/h264_packetizer.c
index ba8353164..b701e339f 100644
--- a/pjmedia/src/pjmedia-codec/h264_packetizer.c
+++ b/pjmedia/src/pjmedia-codec/h264_packetizer.c
@@ -437,6 +437,9 @@ PJ_DEF(pj_status_t) pjmedia_h264_unpacketize(pjmedia_h264_packetizer *pktz,
         while (q < q_end && p < p_end) {
             pj_uint16_t tmp_nal_size;
 
+            if (p + pktz->cfg.unpack_nal_start > p_end)
+                return PJ_EINVAL;
+
             /* Write NAL unit start code */
             pj_memcpy(p, nal_start_code, pktz->cfg.unpack_nal_start);
             p += pktz->cfg.unpack_nal_start;
@@ -444,7 +447,7 @@ PJ_DEF(pj_status_t) pjmedia_h264_unpacketize(pjmedia_h264_packetizer *pktz,
             /* Get NAL unit size */
             tmp_nal_size = (*q << 8) | *(q+1);
             q += 2;
-            if (q + tmp_nal_size > q_end) {
+            if (p + tmp_nal_size > p_end || q + tmp_nal_size > q_end) {
                 /* Invalid bitstream, discard the rest of the payload */
                 return PJ_EINVAL;
             }