aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLuca Barbato <lu_zero@gentoo.org>2014-01-12 01:14:12 +0100
committerMichael Niedermayer <michaelni@gmx.at>2014-01-13 16:17:04 +0100
commitd63476347a486ae87ef5b1279fd813529a58849c (patch)
treeaf36f43f7406a616c35c79e499ac1e0785b252e8
parent39545c54826c5c0afb8af83507803e0d891409ea (diff)
downloadffmpeg-d63476347a486ae87ef5b1279fd813529a58849c.tar.gz
hevc: Bound check slice_qp
The T-REC-H.265-2013044 page 79 states they have to be into the range [-s->sps->qp_bd_offset, 51]. Fixes: asan_stack-oob_eae8e3_9522_WP_MAIN10_B_Toshiba_3.bit Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit aead772b5814142b0e530804486ff7970ecd9eef) Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
-rw-r--r--libavcodec/hevc.c12
1 files changed, 11 insertions, 1 deletions
diff --git a/libavcodec/hevc.c b/libavcodec/hevc.c
index e6fd5cfbb0..befe2dec16 100644
--- a/libavcodec/hevc.c
+++ b/libavcodec/hevc.c
@@ -630,7 +630,17 @@ static int hls_slice_header(HEVCContext *s)
}
// Inferred parameters
- sh->slice_qp = 26 + s->pps->pic_init_qp_minus26 + sh->slice_qp_delta;
+ sh->slice_qp = 26U + s->pps->pic_init_qp_minus26 + sh->slice_qp_delta;
+ if (sh->slice_qp > 51 ||
+ sh->slice_qp < -s->sps->qp_bd_offset) {
+ av_log(s->avctx, AV_LOG_ERROR,
+ "The slice_qp %d is outside the valid range "
+ "[%d, 51].\n",
+ sh->slice_qp,
+ -s->sps->qp_bd_offset);
+ return AVERROR_INVALIDDATA;
+ }
+
sh->slice_ctb_addr_rs = sh->slice_segment_addr;
s->HEVClc->first_qp_group = !s->sh.dependent_slice_segment_flag;