avformat/hevc: Check num_long_term_ref_pics_sps to avoid potentially long loops

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit ee155c18a2c50b339ba5f6f223fbb6dc343fd471) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
author: Michael Niedermayer <michael@niedermayer.cc> 2015-08-24 13:04:38 +0200
committer: Michael Niedermayer <michael@niedermayer.cc> 2015-11-12 02:55:45 +0100
commit: 679df05683e6a36e3af4d98a65248debc472ed7d (patch)
tree: 84b21eebdfe8c894f3fc141ede03301a76fc7770
parent: 717c3ebfa46fac9d51dec9e079fdbc9e4652a9ac (diff)
download: ffmpeg-679df05683e6a36e3af4d98a65248debc472ed7d.tar.gz
1 files changed, 2 insertions, 0 deletions
diff --git a/libavformat/hevc.c b/libavformat/hevc.c
index c3257fffd1..f0cbab8e67 100644
--- a/libavformat/hevc.c
+++ b/libavformat/hevc.c
@@ -566,6 +566,8 @@ static int hvcc_parse_sps(GetBitContext *gb,
 
     if (get_bits1(gb)) {                               // long_term_ref_pics_present_flag
         unsigned num_long_term_ref_pics_sps = get_ue_golomb_long(gb);
+        if (num_long_term_ref_pics_sps > 31U)
+            return AVERROR_INVALIDDATA;
         for (i = 0; i < num_long_term_ref_pics_sps; i++) { // num_long_term_ref_pics_sps
             int len = FFMIN(log2_max_pic_order_cnt_lsb_minus4 + 4, 16);
             skip_bits (gb, len); // lt_ref_pic_poc_lsb_sps[i]
author	Michael Niedermayer <michael@niedermayer.cc>	2015-08-24 13:04:38 +0200
committer	Michael Niedermayer <michael@niedermayer.cc>	2015-11-12 02:55:45 +0100
commit	679df05683e6a36e3af4d98a65248debc472ed7d (patch)
tree	84b21eebdfe8c894f3fc141ede03301a76fc7770
parent	717c3ebfa46fac9d51dec9e079fdbc9e4652a9ac (diff)
download	ffmpeg-679df05683e6a36e3af4d98a65248debc472ed7d.tar.gz