Commit 63e7bfe7 authored by Michael Niedermayer's avatar Michael Niedermayer

avcodec/hevc_ps: Fix max_dec_buffer check

Fixes: runtime error: signed integer overflow: -2147483648 - 1 cannot be represented in type 'int'
Fixes: 2339/clusterfuzz-testcase-minimized-6663164320022528

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpegSigned-off-by: 's avatarMichael Niedermayer <michael@niedermayer.cc>
parent 5c1f4330
...@@ -941,9 +941,9 @@ int ff_hevc_parse_sps(HEVCSPS *sps, GetBitContext *gb, unsigned int *sps_id, ...@@ -941,9 +941,9 @@ int ff_hevc_parse_sps(HEVCSPS *sps, GetBitContext *gb, unsigned int *sps_id,
sps->temporal_layer[i].max_dec_pic_buffering = get_ue_golomb_long(gb) + 1; sps->temporal_layer[i].max_dec_pic_buffering = get_ue_golomb_long(gb) + 1;
sps->temporal_layer[i].num_reorder_pics = get_ue_golomb_long(gb); sps->temporal_layer[i].num_reorder_pics = get_ue_golomb_long(gb);
sps->temporal_layer[i].max_latency_increase = get_ue_golomb_long(gb) - 1; sps->temporal_layer[i].max_latency_increase = get_ue_golomb_long(gb) - 1;
if (sps->temporal_layer[i].max_dec_pic_buffering > HEVC_MAX_DPB_SIZE) { if (sps->temporal_layer[i].max_dec_pic_buffering > (unsigned)HEVC_MAX_DPB_SIZE) {
av_log(avctx, AV_LOG_ERROR, "sps_max_dec_pic_buffering_minus1 out of range: %d\n", av_log(avctx, AV_LOG_ERROR, "sps_max_dec_pic_buffering_minus1 out of range: %d\n",
sps->temporal_layer[i].max_dec_pic_buffering - 1); sps->temporal_layer[i].max_dec_pic_buffering - 1U);
return AVERROR_INVALIDDATA; return AVERROR_INVALIDDATA;
} }
if (sps->temporal_layer[i].num_reorder_pics > sps->temporal_layer[i].max_dec_pic_buffering - 1) { if (sps->temporal_layer[i].num_reorder_pics > sps->temporal_layer[i].max_dec_pic_buffering - 1) {
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment