From b06958917cca35a0dc7ac1da4d8e681cdea811ed Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Mon, 24 Aug 2015 13:04:38 +0200 Subject: [PATCH] avformat/hevc: Check num_long_term_ref_pics_sps to avoid potentially long loops Signed-off-by: Michael Niedermayer (cherry picked from commit ee155c18a2c50b339ba5f6f223fbb6dc343fd471) Signed-off-by: Michael Niedermayer --- libavformat/hevc.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libavformat/hevc.c b/libavformat/hevc.c index 9932d92298..f403e1c522 100644 --- a/libavformat/hevc.c +++ b/libavformat/hevc.c @@ -566,6 +566,8 @@ static int hvcc_parse_sps(GetBitContext *gb, if (get_bits1(gb)) { // long_term_ref_pics_present_flag unsigned num_long_term_ref_pics_sps = get_ue_golomb_long(gb); + if (num_long_term_ref_pics_sps > 31U) + return AVERROR_INVALIDDATA; for (i = 0; i < num_long_term_ref_pics_sps; i++) { // num_long_term_ref_pics_sps int len = FFMIN(log2_max_pic_order_cnt_lsb_minus4 + 4, 16); skip_bits (gb, len); // lt_ref_pic_poc_lsb_sps[i]