Fixes integer overflow
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
... | ... |
@@ -87,7 +87,8 @@ int ff_hevc_decode_short_term_rps(HEVCContext *s, ShortTermRPS *rps, |
87 | 87 |
|
88 | 88 |
if (rps_predict) { |
89 | 89 |
const ShortTermRPS *rps_ridx; |
90 |
- int delta_rps, abs_delta_rps; |
|
90 |
+ int delta_rps; |
|
91 |
+ unsigned abs_delta_rps; |
|
91 | 92 |
uint8_t use_delta_flag = 0; |
92 | 93 |
uint8_t delta_rps_sign; |
93 | 94 |
|
... | ... |
@@ -105,6 +106,12 @@ int ff_hevc_decode_short_term_rps(HEVCContext *s, ShortTermRPS *rps, |
105 | 105 |
|
106 | 106 |
delta_rps_sign = get_bits1(gb); |
107 | 107 |
abs_delta_rps = get_ue_golomb_long(gb) + 1; |
108 |
+ if (abs_delta_rps < 1 || abs_delta_rps > 32768) { |
|
109 |
+ av_log(s->avctx, AV_LOG_ERROR, |
|
110 |
+ "Invalid value of abs_delta_rps: %d\n", |
|
111 |
+ abs_delta_rps); |
|
112 |
+ return AVERROR_INVALIDDATA; |
|
113 |
+ } |
|
108 | 114 |
delta_rps = (1 - (delta_rps_sign << 1)) * abs_delta_rps; |
109 | 115 |
for (i = 0; i <= rps_ridx->num_delta_pocs; i++) { |
110 | 116 |
int used = rps->used[k] = get_bits1(gb); |