Commit 1329c08a authored by Mark Thompson's avatar Mark Thompson

hevc: Validate the number of long term reference pictures

This would overflow if the stream contained a value greater than the
maximum allowed by the standard (32).
parent b88da98b
...@@ -883,6 +883,12 @@ int ff_hevc_parse_sps(HEVCSPS *sps, GetBitContext *gb, unsigned int *sps_id, ...@@ -883,6 +883,12 @@ int ff_hevc_parse_sps(HEVCSPS *sps, GetBitContext *gb, unsigned int *sps_id,
sps->long_term_ref_pics_present_flag = get_bits1(gb); sps->long_term_ref_pics_present_flag = get_bits1(gb);
if (sps->long_term_ref_pics_present_flag) { if (sps->long_term_ref_pics_present_flag) {
sps->num_long_term_ref_pics_sps = get_ue_golomb_long(gb); sps->num_long_term_ref_pics_sps = get_ue_golomb_long(gb);
if (sps->num_long_term_ref_pics_sps > HEVC_MAX_LONG_TERM_REF_PICS) {
av_log(avctx, AV_LOG_ERROR, "Too many long term ref pics: %d.\n",
sps->num_long_term_ref_pics_sps);
ret = AVERROR_INVALIDDATA;
goto err;
}
for (i = 0; i < sps->num_long_term_ref_pics_sps; i++) { for (i = 0; i < sps->num_long_term_ref_pics_sps; i++) {
sps->lt_ref_pic_poc_lsb_sps[i] = get_bits(gb, sps->log2_max_poc_lsb); sps->lt_ref_pic_poc_lsb_sps[i] = get_bits(gb, sps->log2_max_poc_lsb);
sps->used_by_curr_pic_lt_sps_flag[i] = get_bits1(gb); sps->used_by_curr_pic_lt_sps_flag[i] = get_bits1(gb);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment