diff options
| author | Mark Thompson <sw@jkqxz.net> | 2021-02-03 21:34:07 +0000 |
|---|---|---|
| committer | Mark Thompson <sw@jkqxz.net> | 2021-03-12 22:45:33 +0000 |
| commit | b128b0ce2203f96ff86969f6d0039827a7f00378 (patch) | |
| tree | 2d4a0d15e2aa7e12ec500517d9a8663e8b97e343 /libavcodec/cbs_sei_syntax_template.c | |
| parent | ec54c32d4a13689678e99cccda3cbaae3af0df52 (diff) | |
| download | ffmpeg-b128b0ce2203f96ff86969f6d0039827a7f00378.tar.gz | |
cbs_h265: Detect more reference combinations which would overflow the DPB
In total, the number of short term references (from the selected short
term ref pic set), the number of long term references (combining both the
used candidates from the SPS and those defined in the slice header) and
the number of instances of the current picture (usually one, but can be
two if current picture reference is enabled) must never exceed the size
of the DPB. This is a generalisation of the condition associated with
num_long_term_pics in 7.4.7.1.
We use this to apply tighter bounds to the number of long term pictures
referred to in the slice header, and also to detect the invalid case where
the second reference to the current picture would not fit in the DPB (this
case can't be detected earlier because an STRPS with 15 pictures can still
be valid in the same stream when used with a different PPS which does not
require two DPB slots for the current picture).
Fixes: 24913/clusterfuzz-testcase-minimized-ffmpeg_BSF_HEVC_METADATA_fuzzer-6261760693370880
Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Tested-by: Michael Niedermayer <michael@niedermayer.cc>
Diffstat (limited to 'libavcodec/cbs_sei_syntax_template.c')
0 files changed, 0 insertions, 0 deletions