[FFmpeg-cvslog] avcodec/evc_ps: check valid range for a few more elements

[James Almer]

ffmpeg | branch: master | James Almer <jamrial at gmail.com> | Mon Jun 19 16:33:08 2023 -0300| [377da83b995ade45c31af7278a6502ee39ca1a10] | committer: James Almer

avcodec/evc_ps: check valid range for a few more elements

Should prevent overreads on non spec comformant input.

Signed-off-by: James Almer <jamrial at gmail.com>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=377da83b995ade45c31af7278a6502ee39ca1a10
---

 libavcodec/evc_ps.c | 22 ++++++++++++++++++++--
 1 file changed, 20 insertions(+), 2 deletions(-)

diff --git a/libavcodec/evc_ps.c b/libavcodec/evc_ps.c
index 8d895d228b..075e705d3d 100644
--- a/libavcodec/evc_ps.c
+++ b/libavcodec/evc_ps.c
@@ -224,8 +224,13 @@ int ff_evc_parse_sps(EVCParamSets *ps, const uint8_t *bs, int bs_size)
     sps->sps_dquant_flag = get_bits(&gb, 1);
     sps->sps_dra_flag = get_bits(&gb, 1);
 
-    if (sps->sps_pocs_flag)
+    if (sps->sps_pocs_flag) {
         sps->log2_max_pic_order_cnt_lsb_minus4 = get_ue_golomb(&gb);
+        if (sps->log2_max_pic_order_cnt_lsb_minus4 > 12U) {
+            ret = AVERROR_INVALIDDATA;
+            goto fail;
+        }
+    }
 
     if (!sps->sps_pocs_flag || !sps->sps_rpl_flag) {
         sps->log2_sub_gop_length = get_ue_golomb(&gb);
@@ -271,7 +276,11 @@ int ff_evc_parse_sps(EVCParamSets *ps, const uint8_t *bs, int bs_size)
             sps->chroma_qp_table_struct.same_qp_table_for_chroma = get_bits(&gb, 1);
             sps->chroma_qp_table_struct.global_offset_flag = get_bits(&gb, 1);
             for (int i = 0; i < (sps->chroma_qp_table_struct.same_qp_table_for_chroma ? 1 : 2); i++) {
-                sps->chroma_qp_table_struct.num_points_in_qp_table_minus1[i] = get_ue_golomb(&gb);;
+                sps->chroma_qp_table_struct.num_points_in_qp_table_minus1[i] = get_ue_golomb(&gb);
+                if (sps->chroma_qp_table_struct.num_points_in_qp_table_minus1[i] >= EVC_MAX_QP_TABLE_SIZE) {
+                    ret = AVERROR_INVALIDDATA;
+                    goto fail;
+                }
                 for (int j = 0; j <= sps->chroma_qp_table_struct.num_points_in_qp_table_minus1[i]; j++) {
                     sps->chroma_qp_table_struct.delta_qp_in_val_minus1[i][j] = get_bits(&gb, 6);
                     sps->chroma_qp_table_struct.delta_qp_out_val[i][j] = get_se_golomb(&gb);
@@ -342,6 +351,11 @@ int ff_evc_parse_pps(EVCParamSets *ps, const uint8_t *bs, int bs_size)
     if (!pps->single_tile_in_pic_flag) {
         pps->num_tile_columns_minus1 = get_ue_golomb(&gb);
         pps->num_tile_rows_minus1 = get_ue_golomb(&gb);
+        if (pps->num_tile_columns_minus1 >= EVC_MAX_TILE_COLUMNS ||
+            pps->num_tile_rows_minus1 >= EVC_MAX_TILE_ROWS) {
+            ret = AVERROR_INVALIDDATA;
+            goto fail;
+        }
         pps->uniform_tile_spacing_flag = get_bits(&gb, 1);
 
         if (!pps->uniform_tile_spacing_flag) {
@@ -356,6 +370,10 @@ int ff_evc_parse_pps(EVCParamSets *ps, const uint8_t *bs, int bs_size)
     }
 
     pps->tile_id_len_minus1 = get_ue_golomb(&gb);
+    if (pps->tile_id_len_minus1 > 15U) {
+        ret = AVERROR_INVALIDDATA;
+        goto fail;
+    }
     pps->explicit_tile_id_flag = get_bits(&gb, 1);
 
     if (pps->explicit_tile_id_flag) {