avcodec/hevc: Check num_entry_point_offsets

Fixes CID1239099 part 2 Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
10 years ago · 1c6ae98d4a
parent 3e9d5e16ad
commit 1c6ae98d4a
1 changed files with 8 additions and 1 deletions
--- a/libavcodec/hevc.c
+++ b/libavcodec/hevc.c
@ -707,7 +707,14 @@ static int hls_slice_header(HEVCContext *s)

    sh->num_entry_point_offsets = 0;
    if (s->pps->tiles_enabled_flag || s->pps->entropy_coding_sync_enabled_flag) {
-        sh->num_entry_point_offsets = get_ue_golomb_long(gb);
+        unsigned num_entry_point_offsets = get_ue_golomb_long(gb);
+        // It would be possible to bound this tighter but this here is simpler
+        if (sh->num_entry_point_offsets > get_bits_left(gb)) {
+            av_log(s->avctx, AV_LOG_ERROR, "num_entry_point_offsets %d is invalid\n", num_entry_point_offsets);
+            return AVERROR_INVALIDDATA;
+        }
+
+        sh->num_entry_point_offsets = num_entry_point_offsets;
        if (sh->num_entry_point_offsets > 0) {
            int offset_len = get_ue_golomb_long(gb) + 1;
            int segments = offset_len >> 4;