[FFmpeg-devel] [PATCH] hevc: validate slice address length
Andreas Cadhalpun
andreas.cadhalpun at googlemail.com
Fri Jul 10 19:49:36 CEST 2015
It is used as get_bits argument and reading 0 bits doesn't make sense.
Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun at googlemail.com>
---
libavcodec/hevc.c | 6 ++++++
libavcodec/hevc_parser.c | 6 ++++++
2 files changed, 12 insertions(+)
diff --git a/libavcodec/hevc.c b/libavcodec/hevc.c
index 38734f0..d47af16 100644
--- a/libavcodec/hevc.c
+++ b/libavcodec/hevc.c
@@ -459,6 +459,12 @@ static int hls_slice_header(HEVCContext *s)
slice_address_length = av_ceil_log2(s->sps->ctb_width *
s->sps->ctb_height);
+ if (slice_address_length <= 0) {
+ av_log(s->avctx, AV_LOG_ERROR,
+ "Invalid slice address length: %d\n",
+ slice_address_length);
+ return AVERROR_INVALIDDATA;
+ }
sh->slice_segment_addr = get_bits(gb, slice_address_length);
if (sh->slice_segment_addr >= s->sps->ctb_width * s->sps->ctb_height) {
av_log(s->avctx, AV_LOG_ERROR,
diff --git a/libavcodec/hevc_parser.c b/libavcodec/hevc_parser.c
index 3c7c3c3..3025e4d 100644
--- a/libavcodec/hevc_parser.c
+++ b/libavcodec/hevc_parser.c
@@ -200,6 +200,12 @@ static inline int parse_nal_units(AVCodecParserContext *s, AVCodecContext *avctx
slice_address_length = av_ceil_log2_c(h->sps->ctb_width *
h->sps->ctb_height);
+ if (slice_address_length <= 0) {
+ av_log(h->avctx, AV_LOG_ERROR,
+ "Invalid slice address length: %d\n",
+ slice_address_length);
+ return AVERROR_INVALIDDATA;
+ }
sh->slice_segment_addr = get_bits(gb, slice_address_length);
if (sh->slice_segment_addr >= h->sps->ctb_width * h->sps->ctb_height) {
av_log(h->avctx, AV_LOG_ERROR, "Invalid slice segment address: %u.\n",
--
2.1.4
More information about the ffmpeg-devel
mailing list