aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorChristophe Gisquet <christophe.gisquet@gmail.com>2014-08-10 19:22:06 +0200
committerMichael Niedermayer <michaelni@gmx.at>2014-08-11 02:47:05 +0200
commit5ec85c9750f0770383b781acd6362a8bebbf4db6 (patch)
treee0f88a13014fd147c6c9a85c98627fe94f7290f2
parentbfffce4d081c87b9fadcc0ce3fb5309cf8f266e5 (diff)
downloadffmpeg-5ec85c9750f0770383b781acd6362a8bebbf4db6.tar.gz
hevc: do generic validation of bitstream
After finishing parsing VPS/SPS/PPS/slice header, check remaining bits, and if an overconsumption occurred, report invalid data. Liked-by: BBB Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
-rw-r--r--libavcodec/hevc.c6
-rw-r--r--libavcodec/hevc_ps.c18
2 files changed, 24 insertions, 0 deletions
diff --git a/libavcodec/hevc.c b/libavcodec/hevc.c
index 829b5d1969..3170d8496e 100644
--- a/libavcodec/hevc.c
+++ b/libavcodec/hevc.c
@@ -740,6 +740,12 @@ static int hls_slice_header(HEVCContext *s)
return AVERROR_INVALIDDATA;
}
+ if (get_bits_left(gb) < 0) {
+ av_log(s->avctx, AV_LOG_ERROR,
+ "Overread slice header by %d bits\n", -get_bits_left(gb));
+ return AVERROR_INVALIDDATA;
+ }
+
s->HEVClc->first_qp_group = !s->sh.dependent_slice_segment_flag;
if (!s->pps->cu_qp_delta_enabled_flag)
diff --git a/libavcodec/hevc_ps.c b/libavcodec/hevc_ps.c
index fe974bcbf2..163c5e4aab 100644
--- a/libavcodec/hevc_ps.c
+++ b/libavcodec/hevc_ps.c
@@ -452,6 +452,12 @@ int ff_hevc_decode_nal_vps(HEVCContext *s)
}
get_bits1(gb); /* vps_extension_flag */
+ if (get_bits_left(gb) < 0) {
+ av_log(s->avctx, AV_LOG_ERROR,
+ "Overread VPS by %d bits\n", -get_bits_left(gb));
+ goto err;
+ }
+
av_buffer_unref(&s->vps_list[vps_id]);
s->vps_list[vps_id] = vps_buf;
return 0;
@@ -1050,6 +1056,12 @@ int ff_hevc_decode_nal_sps(HEVCContext *s)
goto err;
}
+ if (get_bits_left(gb) < 0) {
+ av_log(s->avctx, AV_LOG_ERROR,
+ "Overread SPS by %d bits\n", -get_bits_left(gb));
+ goto err;
+ }
+
if (s->avctx->debug & FF_DEBUG_BITSTREAM) {
av_log(s->avctx, AV_LOG_DEBUG,
"Parsed SPS: id %d; coded wxh: %dx%d; "
@@ -1473,6 +1485,12 @@ int ff_hevc_decode_nal_pps(HEVCContext *s)
}
}
+ if (get_bits_left(gb) < 0) {
+ av_log(s->avctx, AV_LOG_ERROR,
+ "Overread PPS by %d bits\n", -get_bits_left(gb));
+ goto err;
+ }
+
av_buffer_unref(&s->pps_list[pps_id]);
s->pps_list[pps_id] = pps_buf;