From 1329c08ad6d2ddb304858f2972c67b508e8b0f0e Mon Sep 17 00:00:00 2001 From: Mark Thompson Date: Sat, 24 Jun 2017 00:29:14 +0100 Subject: [PATCH] hevc: Validate the number of long term reference pictures This would overflow if the stream contained a value greater than the maximum allowed by the standard (32). --- libavcodec/hevc_ps.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libavcodec/hevc_ps.c b/libavcodec/hevc_ps.c index 74906fd71b..2603e6d99f 100644 --- a/libavcodec/hevc_ps.c +++ b/libavcodec/hevc_ps.c @@ -883,6 +883,12 @@ int ff_hevc_parse_sps(HEVCSPS *sps, GetBitContext *gb, unsigned int *sps_id, sps->long_term_ref_pics_present_flag = get_bits1(gb); if (sps->long_term_ref_pics_present_flag) { sps->num_long_term_ref_pics_sps = get_ue_golomb_long(gb); + if (sps->num_long_term_ref_pics_sps > HEVC_MAX_LONG_TERM_REF_PICS) { + av_log(avctx, AV_LOG_ERROR, "Too many long term ref pics: %d.\n", + sps->num_long_term_ref_pics_sps); + ret = AVERROR_INVALIDDATA; + goto err; + } for (i = 0; i < sps->num_long_term_ref_pics_sps; i++) { sps->lt_ref_pic_poc_lsb_sps[i] = get_bits(gb, sps->log2_max_poc_lsb); sps->used_by_curr_pic_lt_sps_flag[i] = get_bits1(gb);