[FFmpeg-cvslog] avformat/hevc: Check num_negative_pics and num_positive_pics
Michael Niedermayer
git at videolan.org
Sat May 16 00:16:17 CEST 2015
ffmpeg | branch: release/2.6 | Michael Niedermayer <michaelni at gmx.at> | Tue May 12 19:28:15 2015 +0200| [0fc6a9511634c58f1cb93ccf8f6bb1da14141d8b] | committer: Michael Niedermayer
avformat/hevc: Check num_negative_pics and num_positive_pics
Fixes CID1238994
Signed-off-by: Michael Niedermayer <michaelni at gmx.at>
(cherry picked from commit b62b3292d8e25d3240e462c1b1cd8ac69195c46b)
Signed-off-by: Michael Niedermayer <michaelni at gmx.at>
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=0fc6a9511634c58f1cb93ccf8f6bb1da14141d8b
---
libavformat/hevc.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/libavformat/hevc.c b/libavformat/hevc.c
index 8ef3c1f..c92e9eb 100644
--- a/libavformat/hevc.c
+++ b/libavformat/hevc.c
@@ -462,6 +462,9 @@ static int parse_rps(GetBitContext *gb, unsigned int rps_idx,
unsigned int num_negative_pics = get_ue_golomb_long(gb);
unsigned int num_positive_pics = get_ue_golomb_long(gb);
+ if ((num_positive_pics + (uint64_t)num_negative_pics) * 2 > get_bits_left(gb))
+ return AVERROR_INVALIDDATA;
+
num_delta_pocs[rps_idx] = num_negative_pics + num_positive_pics;
for (i = 0; i < num_negative_pics; i++) {
More information about the ffmpeg-cvslog
mailing list