hevc: Validate the number of long term reference pictures

This would overflow if the stream contained a value greater than the maximum allowed by the standard (32).
author: Mark Thompson <sw@jkqxz.net> 2017-06-24 00:29:14 +0100
committer: Mark Thompson <sw@jkqxz.net> 2017-08-05 23:54:35 +0100
commit: 1329c08ad6d2ddb304858f2972c67b508e8b0f0e (patch)
tree: 8c1722431d98dd4c356514c46e99238837c9405a /libavcodec
parent: b88da98b34809dedf8882d43ed543632ed233538 (diff)
download: ffmpeg-1329c08ad6d2ddb304858f2972c67b508e8b0f0e.tar.gz
1 files changed, 6 insertions, 0 deletions
diff --git a/libavcodec/hevc_ps.c b/libavcodec/hevc_ps.c
index 74906fd71b..2603e6d99f 100644
--- a/libavcodec/hevc_ps.c
+++ b/libavcodec/hevc_ps.c
@@ -883,6 +883,12 @@ int ff_hevc_parse_sps(HEVCSPS *sps, GetBitContext *gb, unsigned int *sps_id,
     sps->long_term_ref_pics_present_flag = get_bits1(gb);
     if (sps->long_term_ref_pics_present_flag) {
         sps->num_long_term_ref_pics_sps = get_ue_golomb_long(gb);
+        if (sps->num_long_term_ref_pics_sps > HEVC_MAX_LONG_TERM_REF_PICS) {
+            av_log(avctx, AV_LOG_ERROR, "Too many long term ref pics: %d.\n",
+                   sps->num_long_term_ref_pics_sps);
+            ret = AVERROR_INVALIDDATA;
+            goto err;
+        }
         for (i = 0; i < sps->num_long_term_ref_pics_sps; i++) {
             sps->lt_ref_pic_poc_lsb_sps[i]       = get_bits(gb, sps->log2_max_poc_lsb);
             sps->used_by_curr_pic_lt_sps_flag[i] = get_bits1(gb);
author	Mark Thompson <sw@jkqxz.net>	2017-06-24 00:29:14 +0100
committer	Mark Thompson <sw@jkqxz.net>	2017-08-05 23:54:35 +0100
commit	1329c08ad6d2ddb304858f2972c67b508e8b0f0e (patch)
tree	8c1722431d98dd4c356514c46e99238837c9405a /libavcodec
parent	b88da98b34809dedf8882d43ed543632ed233538 (diff)
download	ffmpeg-1329c08ad6d2ddb304858f2972c67b508e8b0f0e.tar.gz