From f30ab69b38324d156f0511c2c59a4f0d232c2b88 Mon Sep 17 00:00:00 2001 From: Michael Niedermayer Date: Tue, 12 May 2015 19:28:15 +0200 Subject: [PATCH] avformat/hevc: Check num_negative_pics and num_positive_pics Fixes CID1238994 Signed-off-by: Michael Niedermayer (cherry picked from commit b62b3292d8e25d3240e462c1b1cd8ac69195c46b) Signed-off-by: Michael Niedermayer --- libavformat/hevc.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavformat/hevc.c b/libavformat/hevc.c index 8ef3c1f986..c92e9eb118 100644 --- a/libavformat/hevc.c +++ b/libavformat/hevc.c @@ -462,6 +462,9 @@ static int parse_rps(GetBitContext *gb, unsigned int rps_idx, unsigned int num_negative_pics = get_ue_golomb_long(gb); unsigned int num_positive_pics = get_ue_golomb_long(gb); + if ((num_positive_pics + (uint64_t)num_negative_pics) * 2 > get_bits_left(gb)) + return AVERROR_INVALIDDATA; + num_delta_pocs[rps_idx] = num_negative_pics + num_positive_pics; for (i = 0; i < num_negative_pics; i++) {