avformat/hevc: Check cpb_cnt_minus1

Fixes CID1239014 Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

avformat/hevc: Check cpb_cnt_minus1
Fixes CID1239014 Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
2cddc0b1 · Michael Niedermayer · 7a27aa15 · 2cddc0b1
Commit 2cddc0b1 authored May 12, 2015 by Michael Niedermayer
Hide whitespace changes
Inline Side-by-side

Showing with 7 additions and 2 deletions

hevc.c libavformat/hevc.c +7 -2

No files found.
--- a/libavformat/hevc.c
+++ b/libavformat/hevc.c
@@ -189,7 +189,7 @@ static void skip_sub_layer_hrd_parameters(GetBitContext *gb,
    }
 }

-static void skip_hrd_parameters(GetBitContext *gb, uint8_t cprms_present_flag,
+static int skip_hrd_parameters(GetBitContext *gb, uint8_t cprms_present_flag,
                                unsigned int max_sub_layers_minus1)
 {
    unsigned int i;
@@ -246,8 +246,11 @@ static void skip_hrd_parameters(GetBitContext *gb, uint8_t cprms_present_flag,
        else
            low_delay_hrd_flag = get_bits1(gb);

-        if (!low_delay_hrd_flag)
+        if (!low_delay_hrd_flag) {
            cpb_cnt_minus1 = get_ue_golomb_long(gb);
+            if (cpb_cnt_minus1 > 31)
+                return AVERROR_INVALIDDATA;
+        }

        if (nal_hrd_parameters_present_flag)
            skip_sub_layer_hrd_parameters(gb, cpb_cnt_minus1,
@@ -257,6 +260,8 @@ static void skip_hrd_parameters(GetBitContext *gb, uint8_t cprms_present_flag,
            skip_sub_layer_hrd_parameters(gb, cpb_cnt_minus1,
                                          sub_pic_hrd_params_present_flag);
    }
+
+    return 0;
 }

 static void skip_timing_info(GetBitContext *gb)