[FFmpeg-cvslog] hevc: Validate the number of long term reference pictures
Mark Thompson
git at videolan.org
Sat Nov 11 05:41:51 EET 2017
ffmpeg | branch: master | Mark Thompson <sw at jkqxz.net> | Sat Jun 24 00:29:14 2017 +0100| [1329c08ad6d2ddb304858f2972c67b508e8b0f0e] | committer: Mark Thompson
hevc: Validate the number of long term reference pictures
This would overflow if the stream contained a value greater than the
maximum allowed by the standard (32).
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=1329c08ad6d2ddb304858f2972c67b508e8b0f0e
---
libavcodec/hevc_ps.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/libavcodec/hevc_ps.c b/libavcodec/hevc_ps.c
index 74906fd71b..2603e6d99f 100644
--- a/libavcodec/hevc_ps.c
+++ b/libavcodec/hevc_ps.c
@@ -883,6 +883,12 @@ int ff_hevc_parse_sps(HEVCSPS *sps, GetBitContext *gb, unsigned int *sps_id,
sps->long_term_ref_pics_present_flag = get_bits1(gb);
if (sps->long_term_ref_pics_present_flag) {
sps->num_long_term_ref_pics_sps = get_ue_golomb_long(gb);
+ if (sps->num_long_term_ref_pics_sps > HEVC_MAX_LONG_TERM_REF_PICS) {
+ av_log(avctx, AV_LOG_ERROR, "Too many long term ref pics: %d.\n",
+ sps->num_long_term_ref_pics_sps);
+ ret = AVERROR_INVALIDDATA;
+ goto err;
+ }
for (i = 0; i < sps->num_long_term_ref_pics_sps; i++) {
sps->lt_ref_pic_poc_lsb_sps[i] = get_bits(gb, sps->log2_max_poc_lsb);
sps->used_by_curr_pic_lt_sps_flag[i] = get_bits1(gb);
More information about the ffmpeg-cvslog
mailing list