[FFmpeg-cvslog] avcodec/hevc_ps: add proper bound checks around cm_ref_layer_id in colour_mapping_table.

[Clement Lecigne]

ffmpeg | branch: master | Clement Lecigne <clecigne at google.com> | Wed May 17 19:28:54 2023 +0200| [96c30affba5123bf3ba7df0ec64fee1eded3d473] | committer: James Almer

avcodec/hevc_ps: add proper bound checks around cm_ref_layer_id in colour_mapping_table.

Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
Signed-off-by: James Almer <jamrial at gmail.com>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=96c30affba5123bf3ba7df0ec64fee1eded3d473
---

 libavcodec/hevc_ps.c | 20 +++++++++++++++-----
 libavcodec/hevc_ps.h |  4 ++--
 2 files changed, 17 insertions(+), 7 deletions(-)

diff --git a/libavcodec/hevc_ps.c b/libavcodec/hevc_ps.c
index a55bced0f7..043e1bf308 100644
--- a/libavcodec/hevc_ps.c
+++ b/libavcodec/hevc_ps.c
@@ -1374,10 +1374,15 @@ static void colour_mapping_octants(GetBitContext *gb, HEVCPPS *pps, int inp_dept
         }
 }
 
-static void colour_mapping_table(GetBitContext *gb, HEVCPPS *pps)
+static int colour_mapping_table(GetBitContext *gb, AVCodecContext *avctx, HEVCPPS *pps)
 {
-    pps->num_cm_ref_layers_minus1 = get_ue_golomb_long(gb);
-    for (int i = 0; i <= pps->num_cm_ref_layers_minus1; i++)
+    pps->num_cm_ref_layers = get_ue_golomb(gb) + 1;
+    if (pps->num_cm_ref_layers > 62) {
+        av_log(avctx, AV_LOG_ERROR,
+               "num_cm_ref_layers_minus1 shall be in the range [0, 61].\n");
+        return AVERROR_INVALIDDATA;
+    }
+    for (int i = 0; i < pps->num_cm_ref_layers; i++)
         pps->cm_ref_layer_id[i] = get_bits(gb, 6);
 
     pps->cm_octant_depth = get_bits(gb, 2);
@@ -1397,6 +1402,8 @@ static void colour_mapping_table(GetBitContext *gb, HEVCPPS *pps)
     }
 
     colour_mapping_octants(gb, pps, 0, 0, 0, 0, 1 << pps->cm_octant_depth);
+
+    return 0;
 }
 
 static int pps_multilayer_extension(GetBitContext *gb, AVCodecContext *avctx,
@@ -1439,8 +1446,11 @@ static int pps_multilayer_extension(GetBitContext *gb, AVCodecContext *avctx,
     }
 
     pps->colour_mapping_enabled_flag = get_bits1(gb);
-    if (pps->colour_mapping_enabled_flag)
-        colour_mapping_table(gb, pps);
+    if (pps->colour_mapping_enabled_flag) {
+        int ret = colour_mapping_table(gb, avctx, pps);
+        if (ret < 0)
+            return ret;
+    }
 
     return 0;
 }
diff --git a/libavcodec/hevc_ps.h b/libavcodec/hevc_ps.h
index a0437815d6..2124deb953 100644
--- a/libavcodec/hevc_ps.h
+++ b/libavcodec/hevc_ps.h
@@ -332,8 +332,8 @@ typedef struct HEVCPPS {
     int8_t phase_hor_chroma[64];
     int8_t phase_ver_chroma[64];
     uint8_t colour_mapping_enabled_flag;
-    uint16_t num_cm_ref_layers_minus1;
-    uint8_t cm_ref_layer_id[63];
+    uint8_t num_cm_ref_layers;
+    uint8_t cm_ref_layer_id[62];
     uint8_t cm_octant_depth;
     uint8_t cm_y_part_num_log2;
     uint8_t luma_bit_depth_cm_input;