Browse code
avcodec/hevc_ps: Check diff_cu_qp_delta_depth
Fixes undefined behavior
Fixes: asan_static-oob_17aa046_582_cov_1577759978_DBLK_G_VIXS_1.bit
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 3281fa892599d71b4dc298a426af8296419cd90e)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Michael Niedermayer authored on 2014/12/18 10:09:23Showing 1 changed files
| ... | ... |
@@ -1072,6 +1072,14 @@ int ff_hevc_decode_nal_pps(HEVCContext *s) |
| 1072 | 1072 |
if (pps->cu_qp_delta_enabled_flag) |
| 1073 | 1073 |
pps->diff_cu_qp_delta_depth = get_ue_golomb_long(gb); |
| 1074 | 1074 |
|
| 1075 |
+ if (pps->diff_cu_qp_delta_depth < 0 || |
|
| 1076 |
+ pps->diff_cu_qp_delta_depth > sps->log2_diff_max_min_coding_block_size) {
|
|
| 1077 |
+ av_log(s->avctx, AV_LOG_ERROR, "diff_cu_qp_delta_depth %d is invalid\n", |
|
| 1078 |
+ pps->diff_cu_qp_delta_depth); |
|
| 1079 |
+ ret = AVERROR_INVALIDDATA; |
|
| 1080 |
+ goto err; |
|
| 1081 |
+ } |
|
| 1082 |
+ |
|
| 1075 | 1083 |
pps->cb_qp_offset = get_se_golomb(gb); |
| 1076 | 1084 |
if (pps->cb_qp_offset < -12 || pps->cb_qp_offset > 12) {
|
| 1077 | 1085 |
av_log(s->avctx, AV_LOG_ERROR, "pps_cb_qp_offset out of range: %d\n", |