avcodec/cbs_h2645: Fix potential out-of-bounds array access

The maximum allowed index for an array access is FF_ARRAY_ELEMS - 1; yet the current code allowed FF_ARRAY_ELEMS. This wasn't dangerous in practice, as parameter sets with invalid ids were already filtered out during reading. Found via PVS-Studio (see ticket #8156). Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com> (cherry picked from commit f3333c3c67e8825a4468120bb8aa0943c72c03f3) Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com>
author: Andreas Rheinhardt <andreas.rheinhardt@gmail.com> 2019-09-18 05:25:58 +0200
committer: Andreas Rheinhardt <andreas.rheinhardt@gmail.com> 2020-07-02 00:25:46 +0200
commit: 946d2893a918b8e4178c7623c1e224ea87d23654 (patch)
tree: cafb1a901ed8d3473d5ec1b171edf0b399504b4d
parent: 5db4c91ef57927213adc5e4e0a5006f7bddde195 (diff)
download: ffmpeg-946d2893a918b8e4178c7623c1e224ea87d23654.tar.gz
1 files changed, 1 insertions, 1 deletions
diff --git a/libavcodec/cbs_h2645.c b/libavcodec/cbs_h2645.c
index e929a8011d..e44b683b61 100644
--- a/libavcodec/cbs_h2645.c
+++ b/libavcodec/cbs_h2645.c
@@ -729,7 +729,7 @@ static int cbs_h26 ## h26n ## _replace_ ## ps_var(CodedBitstreamContext *ctx, \
     CodedBitstreamH26 ## h26n ## Context *priv = ctx->priv_data; \
     H26 ## h26n ## Raw ## ps_name *ps_var = unit->content; \
     unsigned int id = ps_var->id_element; \
-    if (id > FF_ARRAY_ELEMS(priv->ps_var)) { \
+    if (id >= FF_ARRAY_ELEMS(priv->ps_var)) { \
         av_log(ctx->log_ctx, AV_LOG_ERROR, "Invalid " #ps_name \
                " id : %d.\n", id); \
         return AVERROR_INVALIDDATA; \
author	Andreas Rheinhardt <andreas.rheinhardt@gmail.com>	2019-09-18 05:25:58 +0200
committer	Andreas Rheinhardt <andreas.rheinhardt@gmail.com>	2020-07-02 00:25:46 +0200
commit	946d2893a918b8e4178c7623c1e224ea87d23654 (patch)
tree	cafb1a901ed8d3473d5ec1b171edf0b399504b4d
parent	5db4c91ef57927213adc5e4e0a5006f7bddde195 (diff)
download	ffmpeg-946d2893a918b8e4178c7623c1e224ea87d23654.tar.gz