mirror of
https://github.com/FFmpeg/FFmpeg.git
synced 2024-12-23 12:43:46 +02:00
hevc: Prevent some integer overflows
get_ue_golomb_long() returns an unsigned. Sample-Id: 00001541-google Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org
This commit is contained in:
parent
faf03ecba0
commit
838740e642
@ -338,7 +338,7 @@ static int decode_lt_rps(HEVCContext *s, LongTermRPS *rps, GetBitContext *gb)
|
||||
const HEVCSPS *sps = s->sps;
|
||||
int max_poc_lsb = 1 << sps->log2_max_poc_lsb;
|
||||
int prev_delta_msb = 0;
|
||||
int nb_sps = 0, nb_sh;
|
||||
unsigned int nb_sps = 0, nb_sh;
|
||||
int i;
|
||||
|
||||
rps->nb_refs = 0;
|
||||
@ -759,7 +759,7 @@ static int hls_slice_header(HEVCContext *s)
|
||||
}
|
||||
|
||||
if (s->pps->slice_header_extension_present_flag) {
|
||||
int length = get_ue_golomb_long(gb);
|
||||
unsigned int length = get_ue_golomb_long(gb);
|
||||
for (i = 0; i < length; i++)
|
||||
skip_bits(gb, 8); // slice_header_extension_data_byte
|
||||
}
|
||||
|
@ -261,7 +261,7 @@ enum ScanType {
|
||||
};
|
||||
|
||||
typedef struct ShortTermRPS {
|
||||
int num_negative_pics;
|
||||
unsigned int num_negative_pics;
|
||||
int num_delta_pocs;
|
||||
int32_t delta_poc[32];
|
||||
uint8_t used[32];
|
||||
@ -528,7 +528,7 @@ typedef struct HEVCPPS {
|
||||
} HEVCPPS;
|
||||
|
||||
typedef struct SliceHeader {
|
||||
int pps_id;
|
||||
unsigned int pps_id;
|
||||
|
||||
///< address (in raster order) of the first block in the current slice segment
|
||||
unsigned int slice_segment_addr;
|
||||
|
@ -93,7 +93,7 @@ int ff_hevc_decode_short_term_rps(HEVCContext *s, ShortTermRPS *rps,
|
||||
uint8_t delta_rps_sign;
|
||||
|
||||
if (is_slice_header) {
|
||||
int delta_idx = get_ue_golomb_long(gb) + 1;
|
||||
unsigned int delta_idx = get_ue_golomb_long(gb) + 1;
|
||||
if (delta_idx > sps->nb_st_rps) {
|
||||
av_log(s->avctx, AV_LOG_ERROR,
|
||||
"Invalid value of delta_idx in slice header RPS: %d > %d.\n",
|
||||
@ -244,7 +244,7 @@ static void parse_ptl(HEVCContext *s, PTL *ptl, int max_num_sub_layers)
|
||||
}
|
||||
}
|
||||
|
||||
static void decode_sublayer_hrd(HEVCContext *s, int nb_cpb,
|
||||
static void decode_sublayer_hrd(HEVCContext *s, unsigned int nb_cpb,
|
||||
int subpic_params_present)
|
||||
{
|
||||
GetBitContext *gb = &s->HEVClc.gb;
|
||||
@ -298,7 +298,7 @@ static void decode_hrd(HEVCContext *s, int common_inf_present,
|
||||
|
||||
for (i = 0; i < max_sublayers; i++) {
|
||||
int low_delay = 0;
|
||||
int nb_cpb = 1;
|
||||
unsigned int nb_cpb = 1;
|
||||
int fixed_rate = get_bits1(gb);
|
||||
|
||||
if (!fixed_rate)
|
||||
@ -553,18 +553,18 @@ static int scaling_list_data(HEVCContext *s, ScalingList *sl)
|
||||
GetBitContext *gb = &s->HEVClc.gb;
|
||||
uint8_t scaling_list_pred_mode_flag[4][6];
|
||||
int32_t scaling_list_dc_coef[2][6];
|
||||
int size_id, matrix_id, i, pos, delta;
|
||||
int size_id, matrix_id, i, pos;
|
||||
|
||||
for (size_id = 0; size_id < 4; size_id++)
|
||||
for (matrix_id = 0; matrix_id < (size_id == 3 ? 2 : 6); matrix_id++) {
|
||||
scaling_list_pred_mode_flag[size_id][matrix_id] = get_bits1(gb);
|
||||
if (!scaling_list_pred_mode_flag[size_id][matrix_id]) {
|
||||
delta = get_ue_golomb_long(gb);
|
||||
unsigned int delta = get_ue_golomb_long(gb);
|
||||
/* Only need to handle non-zero delta. Zero means default,
|
||||
* which should already be in the arrays. */
|
||||
if (delta) {
|
||||
// Copy from previous array.
|
||||
if (matrix_id - delta < 0) {
|
||||
if (matrix_id < delta) {
|
||||
av_log(s->avctx, AV_LOG_ERROR,
|
||||
"Invalid delta in scaling list data: %d.\n", delta);
|
||||
return AVERROR_INVALIDDATA;
|
||||
|
Loading…
Reference in New Issue
Block a user