[FFmpeg-cvslog] hevc: Prevent some integer overflows
Luca Barbato
git at videolan.org
Tue Jan 21 15:36:13 CET 2014
ffmpeg | branch: master | Luca Barbato <lu_zero at gentoo.org> | Sat Jan 11 12:33:42 2014 +0100| [838740e6420538ad45982da6b1d3aa3ae91307f5] | committer: Luca Barbato
hevc: Prevent some integer overflows
get_ue_golomb_long() returns an unsigned.
Sample-Id: 00001541-google
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable at libav.org
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=838740e6420538ad45982da6b1d3aa3ae91307f5
---
libavcodec/hevc.c | 4 ++--
libavcodec/hevc.h | 4 ++--
libavcodec/hevc_ps.c | 12 ++++++------
3 files changed, 10 insertions(+), 10 deletions(-)
diff --git a/libavcodec/hevc.c b/libavcodec/hevc.c
index d5175f5..01d3a77 100644
--- a/libavcodec/hevc.c
+++ b/libavcodec/hevc.c
@@ -338,7 +338,7 @@ static int decode_lt_rps(HEVCContext *s, LongTermRPS *rps, GetBitContext *gb)
const HEVCSPS *sps = s->sps;
int max_poc_lsb = 1 << sps->log2_max_poc_lsb;
int prev_delta_msb = 0;
- int nb_sps = 0, nb_sh;
+ unsigned int nb_sps = 0, nb_sh;
int i;
rps->nb_refs = 0;
@@ -759,7 +759,7 @@ static int hls_slice_header(HEVCContext *s)
}
if (s->pps->slice_header_extension_present_flag) {
- int length = get_ue_golomb_long(gb);
+ unsigned int length = get_ue_golomb_long(gb);
for (i = 0; i < length; i++)
skip_bits(gb, 8); // slice_header_extension_data_byte
}
diff --git a/libavcodec/hevc.h b/libavcodec/hevc.h
index 6c99d9b..a674899 100644
--- a/libavcodec/hevc.h
+++ b/libavcodec/hevc.h
@@ -261,7 +261,7 @@ enum ScanType {
};
typedef struct ShortTermRPS {
- int num_negative_pics;
+ unsigned int num_negative_pics;
int num_delta_pocs;
int32_t delta_poc[32];
uint8_t used[32];
@@ -528,7 +528,7 @@ typedef struct HEVCPPS {
} HEVCPPS;
typedef struct SliceHeader {
- int pps_id;
+ unsigned int pps_id;
///< address (in raster order) of the first block in the current slice segment
unsigned int slice_segment_addr;
diff --git a/libavcodec/hevc_ps.c b/libavcodec/hevc_ps.c
index 829294f..0c1550e 100644
--- a/libavcodec/hevc_ps.c
+++ b/libavcodec/hevc_ps.c
@@ -93,7 +93,7 @@ int ff_hevc_decode_short_term_rps(HEVCContext *s, ShortTermRPS *rps,
uint8_t delta_rps_sign;
if (is_slice_header) {
- int delta_idx = get_ue_golomb_long(gb) + 1;
+ unsigned int delta_idx = get_ue_golomb_long(gb) + 1;
if (delta_idx > sps->nb_st_rps) {
av_log(s->avctx, AV_LOG_ERROR,
"Invalid value of delta_idx in slice header RPS: %d > %d.\n",
@@ -244,7 +244,7 @@ static void parse_ptl(HEVCContext *s, PTL *ptl, int max_num_sub_layers)
}
}
-static void decode_sublayer_hrd(HEVCContext *s, int nb_cpb,
+static void decode_sublayer_hrd(HEVCContext *s, unsigned int nb_cpb,
int subpic_params_present)
{
GetBitContext *gb = &s->HEVClc.gb;
@@ -298,7 +298,7 @@ static void decode_hrd(HEVCContext *s, int common_inf_present,
for (i = 0; i < max_sublayers; i++) {
int low_delay = 0;
- int nb_cpb = 1;
+ unsigned int nb_cpb = 1;
int fixed_rate = get_bits1(gb);
if (!fixed_rate)
@@ -553,18 +553,18 @@ static int scaling_list_data(HEVCContext *s, ScalingList *sl)
GetBitContext *gb = &s->HEVClc.gb;
uint8_t scaling_list_pred_mode_flag[4][6];
int32_t scaling_list_dc_coef[2][6];
- int size_id, matrix_id, i, pos, delta;
+ int size_id, matrix_id, i, pos;
for (size_id = 0; size_id < 4; size_id++)
for (matrix_id = 0; matrix_id < (size_id == 3 ? 2 : 6); matrix_id++) {
scaling_list_pred_mode_flag[size_id][matrix_id] = get_bits1(gb);
if (!scaling_list_pred_mode_flag[size_id][matrix_id]) {
- delta = get_ue_golomb_long(gb);
+ unsigned int delta = get_ue_golomb_long(gb);
/* Only need to handle non-zero delta. Zero means default,
* which should already be in the arrays. */
if (delta) {
// Copy from previous array.
- if (matrix_id - delta < 0) {
+ if (matrix_id < delta) {
av_log(s->avctx, AV_LOG_ERROR,
"Invalid delta in scaling list data: %d.\n", delta);
return AVERROR_INVALIDDATA;
More information about the ffmpeg-cvslog
mailing list