From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by master.gitmailbox.com (Postfix) with ESMTP id 5607B45EE6 for ; Wed, 17 May 2023 17:29:07 +0000 (UTC) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 2AA4F68C0F7; Wed, 17 May 2023 20:29:04 +0300 (EEST) Received: from relay2-d.mail.gandi.net (relay2-d.mail.gandi.net [217.70.183.194]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id A46BC68C0A8 for ; Wed, 17 May 2023 20:28:57 +0300 (EEST) Received: (Authenticated sender: michael@niedermayer.cc) by mail.gandi.net (Postfix) with ESMTPSA id 70AFF40009; Wed, 17 May 2023 17:28:56 +0000 (UTC) From: Michael Niedermayer To: FFmpeg development discussions and patches Date: Wed, 17 May 2023 19:28:54 +0200 Message-Id: <20230517172854.16598-1-michael@niedermayer.cc> X-Mailer: git-send-email 2.17.1 Subject: [FFmpeg-devel] [PATCH] avcodec/hevc_ps: add proper bound checks around cm_ref_layer_id in colour_mapping_table. X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Cc: Clement Lecigne MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Archived-At: List-Archive: List-Post: From: Clement Lecigne Signed-off-by: Michael Niedermayer --- libavcodec/hevc_ps.c | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/libavcodec/hevc_ps.c b/libavcodec/hevc_ps.c index a55bced0f7..313ebef151 100644 --- a/libavcodec/hevc_ps.c +++ b/libavcodec/hevc_ps.c @@ -1374,9 +1374,14 @@ static void colour_mapping_octants(GetBitContext *gb, HEVCPPS *pps, int inp_dept } } -static void colour_mapping_table(GetBitContext *gb, HEVCPPS *pps) +static int colour_mapping_table(GetBitContext *gb, AVCodecContext *avctx, HEVCPPS *pps) { - pps->num_cm_ref_layers_minus1 = get_ue_golomb_long(gb); + pps->num_cm_ref_layers_minus1 = get_ue_golomb(gb); + if (pps->num_cm_ref_layers_minus1 >= 63U) { + av_log(avctx, AV_LOG_ERROR, + "num_cm_ref_layers_minus1 shall be in the range [0, 63].\n"); + return AVERROR_INVALIDDATA; + } for (int i = 0; i <= pps->num_cm_ref_layers_minus1; i++) pps->cm_ref_layer_id[i] = get_bits(gb, 6); @@ -1397,6 +1402,7 @@ static void colour_mapping_table(GetBitContext *gb, HEVCPPS *pps) } colour_mapping_octants(gb, pps, 0, 0, 0, 0, 1 << pps->cm_octant_depth); + return 0; } static int pps_multilayer_extension(GetBitContext *gb, AVCodecContext *avctx, @@ -1439,8 +1445,11 @@ static int pps_multilayer_extension(GetBitContext *gb, AVCodecContext *avctx, } pps->colour_mapping_enabled_flag = get_bits1(gb); - if (pps->colour_mapping_enabled_flag) - colour_mapping_table(gb, pps); + if (pps->colour_mapping_enabled_flag) { + int ret = colour_mapping_table(gb, avctx, pps); + if (ret < 0) + return ret; + } return 0; } -- 2.17.1 _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".