Commit 0575adfd authored by Michael Niedermayer's avatar Michael Niedermayer

avcodec/hevc_ps: Check delta_pocs in ff_hevc_decode_short_term_rps()

Fixes: integer overflow
Fixes: 2893/clusterfuzz-testcase-minimized-5809330567774208

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpegSigned-off-by: 's avatarMichael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit 2b44dcbc)
Signed-off-by: 's avatarMichael Niedermayer <michael@niedermayer.cc>
parent 5351c8bd
......@@ -224,6 +224,12 @@ int ff_hevc_decode_short_term_rps(GetBitContext *gb, AVCodecContext *avctx,
prev = 0;
for (i = 0; i < rps->num_negative_pics; i++) {
delta_poc = get_ue_golomb_long(gb) + 1;
if (delta_poc < 1 || delta_poc > 32768) {
av_log(avctx, AV_LOG_ERROR,
"Invalid value of delta_poc: %d\n",
delta_poc);
return AVERROR_INVALIDDATA;
}
prev -= delta_poc;
rps->delta_poc[i] = prev;
rps->used[i] = get_bits1(gb);
......@@ -231,6 +237,12 @@ int ff_hevc_decode_short_term_rps(GetBitContext *gb, AVCodecContext *avctx,
prev = 0;
for (i = 0; i < nb_positive_pics; i++) {
delta_poc = get_ue_golomb_long(gb) + 1;
if (delta_poc < 1 || delta_poc > 32768) {
av_log(avctx, AV_LOG_ERROR,
"Invalid value of delta_poc: %d\n",
delta_poc);
return AVERROR_INVALIDDATA;
}
prev += delta_poc;
rps->delta_poc[rps->num_negative_pics + i] = prev;
rps->used[rps->num_negative_pics + i] = get_bits1(gb);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment