avformat/evc: add range checks to evcc_parse_sps and return proper error codes

Signed-off-by: James Almer <jamrial@gmail.com>

1 files changed, 10 insertions, 3 deletions

diff --git a/libavformat/evc.c b/libavformat/evc.c
index 9d0fe8d84c..287e5f8b28 100644
--- a/libavformat/evc.c
+++ b/libavformat/evc.c
@@ -88,17 +88,19 @@ static int evcc_parse_sps(const uint8_t *bs, int bs_size, EVCDecoderConfiguratio
 {
     GetBitContext gb;
     unsigned sps_seq_parameter_set_id;
+    int ret;
 
     bs += EVC_NALU_HEADER_SIZE;
     bs_size -= EVC_NALU_HEADER_SIZE;
 
-    if (init_get_bits8(&gb, bs, bs_size) < 0)
-        return 0;
+    ret = init_get_bits8(&gb, bs, bs_size);
+    if (ret < 0)
+        return ret;
 
     sps_seq_parameter_set_id = get_ue_golomb_31(&gb);
 
     if (sps_seq_parameter_set_id >= EVC_MAX_SPS_COUNT)
-        return 0;
+        return AVERROR_INVALIDDATA;
 
     // the Baseline profile is indicated by profile_idc eqal to 0
     // the Main profile is indicated by profile_idc eqal to 1
@@ -114,12 +116,17 @@ static int evcc_parse_sps(const uint8_t *bs, int bs_size, EVCDecoderConfiguratio
     // 2 - 4:2:2
     // 3 - 4:4:4
     evcc->chroma_format_idc = get_ue_golomb_31(&gb);
+    if (evcc->chroma_format_idc > 3)
+        return AVERROR_INVALIDDATA;
 
     evcc->pic_width_in_luma_samples = get_ue_golomb_long(&gb);
     evcc->pic_height_in_luma_samples = get_ue_golomb_long(&gb);
 
     evcc->bit_depth_luma_minus8 = get_ue_golomb_31(&gb);
     evcc->bit_depth_chroma_minus8 = get_ue_golomb_31(&gb);
+    // EVCDecoderConfigurationRecord can't store values > 7. Limit it to bit depth 14.
+    if (evcc->bit_depth_luma_minus8 > 6 || evcc->bit_depth_chroma_minus8 > 6)
+        return AVERROR_INVALIDDATA;
 
     return 0;
 }