Browse code
hevc: Bound check slice_qp
The T-REC-H.265-2013044 page 79 states they have to be into the range
[-s->sps->qp_bd_offset, 51].
Fixes: asan_stack-oob_eae8e3_9522_WP_MAIN10_B_Toshiba_3.bit
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit aead772b5814142b0e530804486ff7970ecd9eef)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Luca Barbato authored on 2014/01/12 09:14:12Showing 1 changed files
| ... | ... |
@@ -630,7 +630,17 @@ static int hls_slice_header(HEVCContext *s) |
| 630 | 630 |
} |
| 631 | 631 |
|
| 632 | 632 |
// Inferred parameters |
| 633 |
- sh->slice_qp = 26 + s->pps->pic_init_qp_minus26 + sh->slice_qp_delta; |
|
| 633 |
+ sh->slice_qp = 26U + s->pps->pic_init_qp_minus26 + sh->slice_qp_delta; |
|
| 634 |
+ if (sh->slice_qp > 51 || |
|
| 635 |
+ sh->slice_qp < -s->sps->qp_bd_offset) {
|
|
| 636 |
+ av_log(s->avctx, AV_LOG_ERROR, |
|
| 637 |
+ "The slice_qp %d is outside the valid range " |
|
| 638 |
+ "[%d, 51].\n", |
|
| 639 |
+ sh->slice_qp, |
|
| 640 |
+ -s->sps->qp_bd_offset); |
|
| 641 |
+ return AVERROR_INVALIDDATA; |
|
| 642 |
+ } |
|
| 643 |
+ |
|
| 634 | 644 |
sh->slice_ctb_addr_rs = sh->slice_segment_addr; |
| 635 | 645 |
|
| 636 | 646 |
s->HEVClc->first_qp_group = !s->sh.dependent_slice_segment_flag; |