Message ID | 20230517172854.16598-1-michael@niedermayer.cc |
---|---|
State | New |
Headers | show |
Series | [FFmpeg-devel] avcodec/hevc_ps: add proper bound checks around cm_ref_layer_id in colour_mapping_table. | expand |
Context | Check | Description |
---|---|---|
yinshiyou/make_loongarch64 | success | Make finished |
yinshiyou/make_fate_loongarch64 | success | Make fate finished |
On 5/17/2023 2:28 PM, Michael Niedermayer wrote: > From: Clement Lecigne <clecigne@google.com> > > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> > --- > libavcodec/hevc_ps.c | 17 +++++++++++++---- > 1 file changed, 13 insertions(+), 4 deletions(-) > > diff --git a/libavcodec/hevc_ps.c b/libavcodec/hevc_ps.c > index a55bced0f7..313ebef151 100644 > --- a/libavcodec/hevc_ps.c > +++ b/libavcodec/hevc_ps.c > @@ -1374,9 +1374,14 @@ static void colour_mapping_octants(GetBitContext *gb, HEVCPPS *pps, int inp_dept > } > } > > -static void colour_mapping_table(GetBitContext *gb, HEVCPPS *pps) > +static int colour_mapping_table(GetBitContext *gb, AVCodecContext *avctx, HEVCPPS *pps) > { > - pps->num_cm_ref_layers_minus1 = get_ue_golomb_long(gb); > + pps->num_cm_ref_layers_minus1 = get_ue_golomb(gb); > + if (pps->num_cm_ref_layers_minus1 >= 63U) { > + av_log(avctx, AV_LOG_ERROR, > + "num_cm_ref_layers_minus1 shall be in the range [0, 63].\n"); The spec in section F.7.4.3.3.5 says 0..61, no 0..63. I'll amend this (and update the array in the struct while at it) and push. > + return AVERROR_INVALIDDATA; > + } > for (int i = 0; i <= pps->num_cm_ref_layers_minus1; i++) > pps->cm_ref_layer_id[i] = get_bits(gb, 6); > > @@ -1397,6 +1402,7 @@ static void colour_mapping_table(GetBitContext *gb, HEVCPPS *pps) > } > > colour_mapping_octants(gb, pps, 0, 0, 0, 0, 1 << pps->cm_octant_depth); > + return 0; > } > > static int pps_multilayer_extension(GetBitContext *gb, AVCodecContext *avctx, > @@ -1439,8 +1445,11 @@ static int pps_multilayer_extension(GetBitContext *gb, AVCodecContext *avctx, > } > > pps->colour_mapping_enabled_flag = get_bits1(gb); > - if (pps->colour_mapping_enabled_flag) > - colour_mapping_table(gb, pps); > + if (pps->colour_mapping_enabled_flag) { > + int ret = colour_mapping_table(gb, avctx, pps); > + if (ret < 0) > + return ret; > + } > > return 0; > }
diff --git a/libavcodec/hevc_ps.c b/libavcodec/hevc_ps.c index a55bced0f7..313ebef151 100644 --- a/libavcodec/hevc_ps.c +++ b/libavcodec/hevc_ps.c @@ -1374,9 +1374,14 @@ static void colour_mapping_octants(GetBitContext *gb, HEVCPPS *pps, int inp_dept } } -static void colour_mapping_table(GetBitContext *gb, HEVCPPS *pps) +static int colour_mapping_table(GetBitContext *gb, AVCodecContext *avctx, HEVCPPS *pps) { - pps->num_cm_ref_layers_minus1 = get_ue_golomb_long(gb); + pps->num_cm_ref_layers_minus1 = get_ue_golomb(gb); + if (pps->num_cm_ref_layers_minus1 >= 63U) { + av_log(avctx, AV_LOG_ERROR, + "num_cm_ref_layers_minus1 shall be in the range [0, 63].\n"); + return AVERROR_INVALIDDATA; + } for (int i = 0; i <= pps->num_cm_ref_layers_minus1; i++) pps->cm_ref_layer_id[i] = get_bits(gb, 6); @@ -1397,6 +1402,7 @@ static void colour_mapping_table(GetBitContext *gb, HEVCPPS *pps) } colour_mapping_octants(gb, pps, 0, 0, 0, 0, 1 << pps->cm_octant_depth); + return 0; } static int pps_multilayer_extension(GetBitContext *gb, AVCodecContext *avctx, @@ -1439,8 +1445,11 @@ static int pps_multilayer_extension(GetBitContext *gb, AVCodecContext *avctx, } pps->colour_mapping_enabled_flag = get_bits1(gb); - if (pps->colour_mapping_enabled_flag) - colour_mapping_table(gb, pps); + if (pps->colour_mapping_enabled_flag) { + int ret = colour_mapping_table(gb, avctx, pps); + if (ret < 0) + return ret; + } return 0; }