From 0af1d69959696aa4baab7feef361e57d62f2e3f4 Mon Sep 17 00:00:00 2001
From: James Almer <jamrial@gmail.com>
Date: Fri, 2 May 2025 16:28:24 -0300
Subject: [PATCH] avcodec/hevc/hevcdec: move the slice header buffer overread
 check up in the function

Abort as soon as we're done reading the slice header instead of running extra checks
that assume slice data may follow.

Signed-off-by: James Almer <jamrial@gmail.com>
---
 libavcodec/hevc/hevcdec.c | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/libavcodec/hevc/hevcdec.c b/libavcodec/hevc/hevcdec.c
index df186d6194..a7a91769fe 100644
--- a/libavcodec/hevc/hevcdec.c
+++ b/libavcodec/hevc/hevcdec.c
@@ -1160,6 +1160,12 @@ static int hls_slice_header(SliceHeader *sh, const HEVCContext *s, GetBitContext
     }
     sh->data_offset = align_get_bits(gb) - gb->buffer;
 
+    if (get_bits_left(gb) < 0) {
+        av_log(s->avctx, AV_LOG_ERROR,
+               "Overread slice header by %d bits\n", -get_bits_left(gb));
+        return AVERROR_INVALIDDATA;
+    }
+
     // Inferred parameters
     sh->slice_qp = 26U + pps->pic_init_qp_minus26 + sh->slice_qp_delta;
     if (sh->slice_qp > 51 ||
@@ -1180,12 +1186,6 @@ static int hls_slice_header(SliceHeader *sh, const HEVCContext *s, GetBitContext
         return AVERROR_INVALIDDATA;
     }
 
-    if (get_bits_left(gb) < 0) {
-        av_log(s->avctx, AV_LOG_ERROR,
-               "Overread slice header by %d bits\n", -get_bits_left(gb));
-        return AVERROR_INVALIDDATA;
-    }
-
     return 0;
 }