hevc: Bound check slice_qp

The T-REC-H.265-2013044 page 79 states they have to be into the range [-s->sps->qp_bd_offset, 51]. Fixes: asan_stack-oob_eae8e3_9522_WP_MAIN10_B_Toshiba_3.bit Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

hevc: Bound check slice_qp
The T-REC-H.265-2013044 page 79 states they have to be into the range [-s->sps->qp_bd_offset, 51]. Fixes: asan_stack-oob_eae8e3_9522_WP_MAIN10_B_Toshiba_3.bit Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
aead772b · Luca Barbato · Michael Niedermayer · 48a5b155 · aead772b
Commit aead772b authored Jan 12, 2014 by Luca Barbato Committed by Michael Niedermayer Jan 13, 2014
Show whitespace changes
Inline Side-by-side

Showing with 11 additions and 1 deletion

hevc.c libavcodec/hevc.c +11 -1

No files found.
--- a/libavcodec/hevc.c
+++ b/libavcodec/hevc.c
@@ -682,7 +682,17 @@ static int hls_slice_header(HEVCContext *s)
    }
    // Inferred parameters
-    sh->slice_qp          = 26 + s->pps->pic_init_qp_minus26 + sh->slice_qp_delta;
+    sh->slice_qp = 26U + s->pps->pic_init_qp_minus26 + sh->slice_qp_delta;
+    if (sh->slice_qp > 51 ||
+        sh->slice_qp < -s->sps->qp_bd_offset) {
+        av_log(s->avctx, AV_LOG_ERROR,
+               "The slice_qp %d is outside the valid range "
+               "[%d, 51].\n",
+               sh->slice_qp,
+               -s->sps->qp_bd_offset);
+        return AVERROR_INVALIDDATA;
+    }
    sh->slice_ctb_addr_rs = sh->slice_segment_addr;
    s->HEVClc->first_qp_group = !s->sh.dependent_slice_segment_flag;