Fixes out of array access
Fixes: signal_sigsegv_35bd0f0_1182_cov_791726764_STRUCT_B_Samsung_4.bit
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit ea38e5a6b75706477898eb1e6582d667dbb9946c)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
... | ... |
@@ -951,6 +951,11 @@ int ff_hevc_decode_nal_sps(HEVCContext *s) |
951 | 951 |
sps->long_term_ref_pics_present_flag = get_bits1(gb); |
952 | 952 |
if (sps->long_term_ref_pics_present_flag) { |
953 | 953 |
sps->num_long_term_ref_pics_sps = get_ue_golomb_long(gb); |
954 |
+ if (sps->num_long_term_ref_pics_sps > 31U) { |
|
955 |
+ av_log(0, AV_LOG_ERROR, "num_long_term_ref_pics_sps %d is out of range.\n", |
|
956 |
+ sps->num_long_term_ref_pics_sps); |
|
957 |
+ goto err; |
|
958 |
+ } |
|
954 | 959 |
for (i = 0; i < sps->num_long_term_ref_pics_sps; i++) { |
955 | 960 |
sps->lt_ref_pic_poc_lsb_sps[i] = get_bits(gb, sps->log2_max_poc_lsb); |
956 | 961 |
sps->used_by_curr_pic_lt_sps_flag[i] = get_bits1(gb); |