]> git.sesse.net Git - ffmpeg/commitdiff
projects / ffmpeg / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: b88da98)
hevc: Validate the number of long term reference pictures
authorMark Thompson <sw@jkqxz.net>
Fri, 23 Jun 2017 23:29:14 +0000 (00:29 +0100)
committerMark Thompson <sw@jkqxz.net>
Sat, 5 Aug 2017 22:54:35 +0000 (23:54 +0100)
This would overflow if the stream contained a value greater than the
maximum allowed by the standard (32).

libavcodec/hevc_ps.c patch | blob | history

diff --git a/libavcodec/hevc_ps.c b/libavcodec/hevc_ps.c
index 74906fd71b08174b6619e4d74d0e0665df0208ec..2603e6d99fab92b492d22efd40c348ff64e9338b 100644 (file)
--- a/libavcodec/hevc_ps.c
+++ b/libavcodec/hevc_ps.c
@@ -883,6 +883,12 @@ int ff_hevc_parse_sps(HEVCSPS *sps, GetBitContext *gb, unsigned int *sps_id,
     sps->long_term_ref_pics_present_flag = get_bits1(gb);
     if (sps->long_term_ref_pics_present_flag) {
         sps->num_long_term_ref_pics_sps = get_ue_golomb_long(gb);
+        if (sps->num_long_term_ref_pics_sps > HEVC_MAX_LONG_TERM_REF_PICS) {
+            av_log(avctx, AV_LOG_ERROR, "Too many long term ref pics: %d.\n",
+                   sps->num_long_term_ref_pics_sps);
+            ret = AVERROR_INVALIDDATA;
+            goto err;
+        }
         for (i = 0; i < sps->num_long_term_ref_pics_sps; i++) {
             sps->lt_ref_pic_poc_lsb_sps[i]       = get_bits(gb, sps->log2_max_poc_lsb);
             sps->used_by_curr_pic_lt_sps_flag[i] = get_bits1(gb);
Unnamed repository; edit this file 'description' to name the repository.