Commit 5ec85c97 authored by Christophe Gisquet's avatar Christophe Gisquet Committed by Michael Niedermayer

hevc: do generic validation of bitstream

After finishing parsing VPS/SPS/PPS/slice header, check remaining bits,
and if an overconsumption occurred, report invalid data.

Liked-by: BBB
Signed-off-by: 's avatarMichael Niedermayer <michaelni@gmx.at>
parent bfffce4d
...@@ -740,6 +740,12 @@ static int hls_slice_header(HEVCContext *s) ...@@ -740,6 +740,12 @@ static int hls_slice_header(HEVCContext *s)
return AVERROR_INVALIDDATA; return AVERROR_INVALIDDATA;
} }
if (get_bits_left(gb) < 0) {
av_log(s->avctx, AV_LOG_ERROR,
"Overread slice header by %d bits\n", -get_bits_left(gb));
return AVERROR_INVALIDDATA;
}
s->HEVClc->first_qp_group = !s->sh.dependent_slice_segment_flag; s->HEVClc->first_qp_group = !s->sh.dependent_slice_segment_flag;
if (!s->pps->cu_qp_delta_enabled_flag) if (!s->pps->cu_qp_delta_enabled_flag)
......
...@@ -452,6 +452,12 @@ int ff_hevc_decode_nal_vps(HEVCContext *s) ...@@ -452,6 +452,12 @@ int ff_hevc_decode_nal_vps(HEVCContext *s)
} }
get_bits1(gb); /* vps_extension_flag */ get_bits1(gb); /* vps_extension_flag */
if (get_bits_left(gb) < 0) {
av_log(s->avctx, AV_LOG_ERROR,
"Overread VPS by %d bits\n", -get_bits_left(gb));
goto err;
}
av_buffer_unref(&s->vps_list[vps_id]); av_buffer_unref(&s->vps_list[vps_id]);
s->vps_list[vps_id] = vps_buf; s->vps_list[vps_id] = vps_buf;
return 0; return 0;
...@@ -1050,6 +1056,12 @@ int ff_hevc_decode_nal_sps(HEVCContext *s) ...@@ -1050,6 +1056,12 @@ int ff_hevc_decode_nal_sps(HEVCContext *s)
goto err; goto err;
} }
if (get_bits_left(gb) < 0) {
av_log(s->avctx, AV_LOG_ERROR,
"Overread SPS by %d bits\n", -get_bits_left(gb));
goto err;
}
if (s->avctx->debug & FF_DEBUG_BITSTREAM) { if (s->avctx->debug & FF_DEBUG_BITSTREAM) {
av_log(s->avctx, AV_LOG_DEBUG, av_log(s->avctx, AV_LOG_DEBUG,
"Parsed SPS: id %d; coded wxh: %dx%d; " "Parsed SPS: id %d; coded wxh: %dx%d; "
...@@ -1473,6 +1485,12 @@ int ff_hevc_decode_nal_pps(HEVCContext *s) ...@@ -1473,6 +1485,12 @@ int ff_hevc_decode_nal_pps(HEVCContext *s)
} }
} }
if (get_bits_left(gb) < 0) {
av_log(s->avctx, AV_LOG_ERROR,
"Overread PPS by %d bits\n", -get_bits_left(gb));
goto err;
}
av_buffer_unref(&s->pps_list[pps_id]); av_buffer_unref(&s->pps_list[pps_id]);
s->pps_list[pps_id] = pps_buf; s->pps_list[pps_id] = pps_buf;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment