Commit 838740e6 authored by Luca Barbato's avatar Luca Barbato

hevc: Prevent some integer overflows

get_ue_golomb_long() returns an unsigned.

Sample-Id: 00001541-google
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
parent faf03ecb
......@@ -338,7 +338,7 @@ static int decode_lt_rps(HEVCContext *s, LongTermRPS *rps, GetBitContext *gb)
const HEVCSPS *sps = s->sps;
int max_poc_lsb = 1 << sps->log2_max_poc_lsb;
int prev_delta_msb = 0;
int nb_sps = 0, nb_sh;
unsigned int nb_sps = 0, nb_sh;
int i;
rps->nb_refs = 0;
......@@ -759,7 +759,7 @@ static int hls_slice_header(HEVCContext *s)
}
if (s->pps->slice_header_extension_present_flag) {
int length = get_ue_golomb_long(gb);
unsigned int length = get_ue_golomb_long(gb);
for (i = 0; i < length; i++)
skip_bits(gb, 8); // slice_header_extension_data_byte
}
......
......@@ -261,7 +261,7 @@ enum ScanType {
};
typedef struct ShortTermRPS {
int num_negative_pics;
unsigned int num_negative_pics;
int num_delta_pocs;
int32_t delta_poc[32];
uint8_t used[32];
......@@ -528,7 +528,7 @@ typedef struct HEVCPPS {
} HEVCPPS;
typedef struct SliceHeader {
int pps_id;
unsigned int pps_id;
///< address (in raster order) of the first block in the current slice segment
unsigned int slice_segment_addr;
......
......@@ -93,7 +93,7 @@ int ff_hevc_decode_short_term_rps(HEVCContext *s, ShortTermRPS *rps,
uint8_t delta_rps_sign;
if (is_slice_header) {
int delta_idx = get_ue_golomb_long(gb) + 1;
unsigned int delta_idx = get_ue_golomb_long(gb) + 1;
if (delta_idx > sps->nb_st_rps) {
av_log(s->avctx, AV_LOG_ERROR,
"Invalid value of delta_idx in slice header RPS: %d > %d.\n",
......@@ -244,7 +244,7 @@ static void parse_ptl(HEVCContext *s, PTL *ptl, int max_num_sub_layers)
}
}
static void decode_sublayer_hrd(HEVCContext *s, int nb_cpb,
static void decode_sublayer_hrd(HEVCContext *s, unsigned int nb_cpb,
int subpic_params_present)
{
GetBitContext *gb = &s->HEVClc.gb;
......@@ -298,7 +298,7 @@ static void decode_hrd(HEVCContext *s, int common_inf_present,
for (i = 0; i < max_sublayers; i++) {
int low_delay = 0;
int nb_cpb = 1;
unsigned int nb_cpb = 1;
int fixed_rate = get_bits1(gb);
if (!fixed_rate)
......@@ -553,18 +553,18 @@ static int scaling_list_data(HEVCContext *s, ScalingList *sl)
GetBitContext *gb = &s->HEVClc.gb;
uint8_t scaling_list_pred_mode_flag[4][6];
int32_t scaling_list_dc_coef[2][6];
int size_id, matrix_id, i, pos, delta;
int size_id, matrix_id, i, pos;
for (size_id = 0; size_id < 4; size_id++)
for (matrix_id = 0; matrix_id < (size_id == 3 ? 2 : 6); matrix_id++) {
scaling_list_pred_mode_flag[size_id][matrix_id] = get_bits1(gb);
if (!scaling_list_pred_mode_flag[size_id][matrix_id]) {
delta = get_ue_golomb_long(gb);
unsigned int delta = get_ue_golomb_long(gb);
/* Only need to handle non-zero delta. Zero means default,
* which should already be in the arrays. */
if (delta) {
// Copy from previous array.
if (matrix_id - delta < 0) {
if (matrix_id < delta) {
av_log(s->avctx, AV_LOG_ERROR,
"Invalid delta in scaling list data: %d.\n", delta);
return AVERROR_INVALIDDATA;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment