mirror of https://git.ffmpeg.org/ffmpeg.git
avcodec/hevc_ps: Check delta_pocs in ff_hevc_decode_short_term_rps()
Fixes: integer overflow Fixes: 2893/clusterfuzz-testcase-minimized-5809330567774208 Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
This commit is contained in:
parent
37e8edc9f5
commit
2b44dcbc44
|
@ -225,6 +225,12 @@ int ff_hevc_decode_short_term_rps(GetBitContext *gb, AVCodecContext *avctx,
|
|||
prev = 0;
|
||||
for (i = 0; i < rps->num_negative_pics; i++) {
|
||||
delta_poc = get_ue_golomb_long(gb) + 1;
|
||||
if (delta_poc < 1 || delta_poc > 32768) {
|
||||
av_log(avctx, AV_LOG_ERROR,
|
||||
"Invalid value of delta_poc: %d\n",
|
||||
delta_poc);
|
||||
return AVERROR_INVALIDDATA;
|
||||
}
|
||||
prev -= delta_poc;
|
||||
rps->delta_poc[i] = prev;
|
||||
rps->used[i] = get_bits1(gb);
|
||||
|
@ -232,6 +238,12 @@ int ff_hevc_decode_short_term_rps(GetBitContext *gb, AVCodecContext *avctx,
|
|||
prev = 0;
|
||||
for (i = 0; i < nb_positive_pics; i++) {
|
||||
delta_poc = get_ue_golomb_long(gb) + 1;
|
||||
if (delta_poc < 1 || delta_poc > 32768) {
|
||||
av_log(avctx, AV_LOG_ERROR,
|
||||
"Invalid value of delta_poc: %d\n",
|
||||
delta_poc);
|
||||
return AVERROR_INVALIDDATA;
|
||||
}
|
||||
prev += delta_poc;
|
||||
rps->delta_poc[rps->num_negative_pics + i] = prev;
|
||||
rps->used[rps->num_negative_pics + i] = get_bits1(gb);
|
||||
|
|
Loading…
Reference in New Issue