[FFmpeg-cvslog] avformat/hevc: Check num_negative_pics and num_positive_pics

Michael Niedermayer git at videolan.org
Wed Jun 17 22:09:39 CEST 2015


ffmpeg | branch: release/2.2 | Michael Niedermayer <michaelni at gmx.at> | Tue May 12 19:28:15 2015 +0200| [06fda5bef349d9977ae947757d0fdb723366d2d7] | committer: Michael Niedermayer

avformat/hevc: Check num_negative_pics and num_positive_pics

Fixes CID1238994

Signed-off-by: Michael Niedermayer <michaelni at gmx.at>
(cherry picked from commit b62b3292d8e25d3240e462c1b1cd8ac69195c46b)

Signed-off-by: Michael Niedermayer <michaelni at gmx.at>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=06fda5bef349d9977ae947757d0fdb723366d2d7
---

 libavformat/hevc.c |    3 +++
 1 file changed, 3 insertions(+)

diff --git a/libavformat/hevc.c b/libavformat/hevc.c
index 9d902e7..49f8ce4 100644
--- a/libavformat/hevc.c
+++ b/libavformat/hevc.c
@@ -462,6 +462,9 @@ static int parse_rps(GetBitContext *gb, unsigned int rps_idx,
         unsigned int num_negative_pics = get_ue_golomb_long(gb);
         unsigned int num_positive_pics = get_ue_golomb_long(gb);
 
+        if ((num_positive_pics + (uint64_t)num_negative_pics) * 2 > get_bits_left(gb))
+            return AVERROR_INVALIDDATA;
+
         num_delta_pocs[rps_idx] = num_negative_pics + num_positive_pics;
 
         for (i = 0; i < num_negative_pics; i++) {



More information about the ffmpeg-cvslog mailing list