Browse code
avcodec/hevc_ps: Check num_long_term_ref_pics_sps
Fixes out of array access
Fixes: signal_sigsegv_35bd0f0_1182_cov_791726764_STRUCT_B_Samsung_4.bit
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit ea38e5a6b75706477898eb1e6582d667dbb9946c)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Michael Niedermayer authored on 2014/11/28 11:46:56Showing 1 changed files
| ... | ... |
@@ -951,6 +951,11 @@ int ff_hevc_decode_nal_sps(HEVCContext *s) |
| 951 | 951 |
sps->long_term_ref_pics_present_flag = get_bits1(gb); |
| 952 | 952 |
if (sps->long_term_ref_pics_present_flag) {
|
| 953 | 953 |
sps->num_long_term_ref_pics_sps = get_ue_golomb_long(gb); |
| 954 |
+ if (sps->num_long_term_ref_pics_sps > 31U) {
|
|
| 955 |
+ av_log(0, AV_LOG_ERROR, "num_long_term_ref_pics_sps %d is out of range.\n", |
|
| 956 |
+ sps->num_long_term_ref_pics_sps); |
|
| 957 |
+ goto err; |
|
| 958 |
+ } |
|
| 954 | 959 |
for (i = 0; i < sps->num_long_term_ref_pics_sps; i++) {
|
| 955 | 960 |
sps->lt_ref_pic_poc_lsb_sps[i] = get_bits(gb, sps->log2_max_poc_lsb); |
| 956 | 961 |
sps->used_by_curr_pic_lt_sps_flag[i] = get_bits1(gb); |