From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100])
	by master.gitmailbox.com (Postfix) with ESMTP id 13B65456E8
	for <ffmpegdev@gitmailbox.com>; Thu, 20 Apr 2023 13:14:24 +0000 (UTC)
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id ABB2868BE2B;
	Thu, 20 Apr 2023 16:14:21 +0300 (EEST)
Received: from mail-oo1-f53.google.com (mail-oo1-f53.google.com
 [209.85.161.53])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id CEF9B68BE2B
 for <ffmpeg-devel@ffmpeg.org>; Thu, 20 Apr 2023 16:14:15 +0300 (EEST)
Received: by mail-oo1-f53.google.com with SMTP id
 006d021491bc7-541b61d166aso536734eaf.2
 for <ffmpeg-devel@ffmpeg.org>; Thu, 20 Apr 2023 06:14:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20221208; t=1681996454; x=1684588454;
 h=content-transfer-encoding:mime-version:message-id:date:subject:to
 :from:from:to:cc:subject:date:message-id:reply-to;
 bh=Z1RRX8g0iVXi9zg7ONypQiO/S0LsGGlM4RJJgNa8+vM=;
 b=fIoGMbAn4pZDOY4WfrMc8L72QsDBFza9qDrKmPe31D9D/NV7MIZ1yaxGIQWI9pcV/Y
 UrnNsaoZvewCbE9wY6fsKFSIMkMhAnmeLNa2na2vZoy7DLORE983vO3U4GCvpTgcYqTy
 37J+Nb5MLaWOrpRtfdMjCME25jGCXE3esuAmQs2lKlzwQBEZB5HtUaWLzDCqPz/6fqDl
 TbMlaRBZpOWbQHr7piPHHw7TdCO3Sj0apaK4mhz51dUKPsRuhFhVkQrnKiDrbvkJfy2I
 IPsQ7LYWpePU36Cq/PeEFwPvpL3DQV0KVcbzdih/211VSUDk+pZ3n5sQvskcoc8+MiiN
 mpLA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20221208; t=1681996454; x=1684588454;
 h=content-transfer-encoding:mime-version:message-id:date:subject:to
 :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
 bh=Z1RRX8g0iVXi9zg7ONypQiO/S0LsGGlM4RJJgNa8+vM=;
 b=CvDtK+5V0yRI585uT5ZBgZxenKRcKT7f8y1/CRfWbli2wtPsHxdrYc3BSq/LtNR7Lb
 SKsF1uPRSUNHF3D4ufEvBLF6mcj1wdpuSYCYfXNpzlUFmxg/23orBCEdnYEJgUk4xKPG
 khHbxLDuugjqPejp3gKjFrF72+Wh1XpfNLyG18WfeRneiyf1mMhooKw5rEJvBOPVYN+T
 hhtlFkjyExdj1rEQJtHm8V39SU6iEUkPPVvj4HfNVTt2PaPLRj6KNv4fU33p7QHttQ9u
 Qii0D1t7CfoJQ5E1Y6oMWLBTPclskJebGNkldLIY3ed4vS7g51kkpzFvgdS5vD3P5Jaf
 I8PA==
X-Gm-Message-State: AAQBX9ftpIukoXFFDwXSA9g8Zlwu0tVMulxO7Yl+6bm7ZwdwL8DD8DDX
 IrvOUhVbYQFCbug8JX4+fjSl3EbNopU=
X-Google-Smtp-Source: AKy350b1xPbSSEyqN727g1I0Gv1ygTVp733Gr8DL4yVBwljzVytiYNS9rgRTjyRsJBjMtjExyfHwXA==
X-Received: by 2002:a05:6808:1b25:b0:38b:c0aa:5ae0 with SMTP id
 bx37-20020a0568081b2500b0038bc0aa5ae0mr966415oib.55.1681996452175; 
 Thu, 20 Apr 2023 06:14:12 -0700 (PDT)
Received: from localhost.localdomain (host197.190-225-105.telecom.net.ar.
 [190.225.105.197]) by smtp.gmail.com with ESMTPSA id
 26-20020a056870131a00b00177ba198612sm687086oab.53.2023.04.20.06.14.11
 for <ffmpeg-devel@ffmpeg.org>
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Thu, 20 Apr 2023 06:14:11 -0700 (PDT)
From: James Almer <jamrial@gmail.com>
To: ffmpeg-devel@ffmpeg.org
Date: Thu, 20 Apr 2023 10:14:04 -0300
Message-Id: <20230420131404.8789-1-jamrial@gmail.com>
X-Mailer: git-send-email 2.40.0
MIME-Version: 1.0
Subject: [FFmpeg-devel] [PATCH] avcodec/hevcdec: further constrain some
 slice header field values
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>
Archived-At: <https://master.gitmailbox.com/ffmpegdev/20230420131404.8789-1-jamrial@gmail.com/>
List-Archive: <https://master.gitmailbox.com/ffmpegdev/>
List-Post: <mailto:ffmpegdev@gitmailbox.com>

num_ref_idx_l0_active_minus1, num_ref_idx_l1_active_minus1, num_ref_idx_l0_default_active,
and num_ref_idx_l1_default_active are all in the range 1 to 15, inclusive.

Signed-off-by: James Almer <jamrial@gmail.com>
---
 libavcodec/hevc_ps.c | 10 ++++++++--
 libavcodec/hevcdec.c |  6 +++---
 2 files changed, 11 insertions(+), 5 deletions(-)

diff --git a/libavcodec/hevc_ps.c b/libavcodec/hevc_ps.c
index 7401ea23f5..f29f783f77 100644
--- a/libavcodec/hevc_ps.c
+++ b/libavcodec/hevc_ps.c
@@ -1762,8 +1762,14 @@ int ff_hevc_decode_nal_pps(GetBitContext *gb, AVCodecContext *avctx,
 
     pps->cabac_init_present_flag = get_bits1(gb);
 
-    pps->num_ref_idx_l0_default_active = get_ue_golomb_long(gb) + 1;
-    pps->num_ref_idx_l1_default_active = get_ue_golomb_long(gb) + 1;
+    pps->num_ref_idx_l0_default_active = get_ue_golomb_31(gb) + 1;
+    pps->num_ref_idx_l1_default_active = get_ue_golomb_31(gb) + 1;
+    if (pps->num_ref_idx_l0_default_active >= HEVC_MAX_REFS ||
+        pps->num_ref_idx_l1_default_active >= HEVC_MAX_REFS) {
+        av_log(avctx, AV_LOG_ERROR, "Too many default refs in PPS: %d/%d.\n",
+               pps->num_ref_idx_l0_default_active, pps->num_ref_idx_l1_default_active);
+        goto err;
+    }
 
     pps->pic_init_qp_minus26 = get_se_golomb(gb);
 
diff --git a/libavcodec/hevcdec.c b/libavcodec/hevcdec.c
index 1a0beac901..0fa4fdd59d 100644
--- a/libavcodec/hevcdec.c
+++ b/libavcodec/hevcdec.c
@@ -773,11 +773,11 @@ static int hls_slice_header(HEVCContext *s)
                 sh->nb_refs[L1] = s->ps.pps->num_ref_idx_l1_default_active;
 
             if (get_bits1(gb)) { // num_ref_idx_active_override_flag
-                sh->nb_refs[L0] = get_ue_golomb_long(gb) + 1;
+                sh->nb_refs[L0] = get_ue_golomb_31(gb) + 1;
                 if (sh->slice_type == HEVC_SLICE_B)
-                    sh->nb_refs[L1] = get_ue_golomb_long(gb) + 1;
+                    sh->nb_refs[L1] = get_ue_golomb_31(gb) + 1;
             }
-            if (sh->nb_refs[L0] > HEVC_MAX_REFS || sh->nb_refs[L1] > HEVC_MAX_REFS) {
+            if (sh->nb_refs[L0] >= HEVC_MAX_REFS || sh->nb_refs[L1] >= HEVC_MAX_REFS) {
                 av_log(s->avctx, AV_LOG_ERROR, "Too many refs: %d/%d.\n",
                        sh->nb_refs[L0], sh->nb_refs[L1]);
                 return AVERROR_INVALIDDATA;
-- 
2.40.0

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".