Browse code
avcodec/hevc_ps: Check abs_delta_rps
Fixes integer overflow
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Michael Niedermayer authored on 2014/07/20 00:29:46Showing 1 changed files
| ... | ... |
@@ -87,7 +87,8 @@ int ff_hevc_decode_short_term_rps(HEVCContext *s, ShortTermRPS *rps, |
| 87 | 87 |
|
| 88 | 88 |
if (rps_predict) {
|
| 89 | 89 |
const ShortTermRPS *rps_ridx; |
| 90 |
- int delta_rps, abs_delta_rps; |
|
| 90 |
+ int delta_rps; |
|
| 91 |
+ unsigned abs_delta_rps; |
|
| 91 | 92 |
uint8_t use_delta_flag = 0; |
| 92 | 93 |
uint8_t delta_rps_sign; |
| 93 | 94 |
|
| ... | ... |
@@ -105,6 +106,12 @@ int ff_hevc_decode_short_term_rps(HEVCContext *s, ShortTermRPS *rps, |
| 105 | 105 |
|
| 106 | 106 |
delta_rps_sign = get_bits1(gb); |
| 107 | 107 |
abs_delta_rps = get_ue_golomb_long(gb) + 1; |
| 108 |
+ if (abs_delta_rps < 1 || abs_delta_rps > 32768) {
|
|
| 109 |
+ av_log(s->avctx, AV_LOG_ERROR, |
|
| 110 |
+ "Invalid value of abs_delta_rps: %d\n", |
|
| 111 |
+ abs_delta_rps); |
|
| 112 |
+ return AVERROR_INVALIDDATA; |
|
| 113 |
+ } |
|
| 108 | 114 |
delta_rps = (1 - (delta_rps_sign << 1)) * abs_delta_rps; |
| 109 | 115 |
for (i = 0; i <= rps_ridx->num_delta_pocs; i++) {
|
| 110 | 116 |
int used = rps->used[k] = get_bits1(gb); |