From 3d1199dff63dcfe75df15a0250ddd0361cafa150 Mon Sep 17 00:00:00 2001 From: James Almer Date: Thu, 22 Jun 2023 10:44:44 -0300 Subject: [PATCH] avformat/evc: add range checks to evcc_parse_sps and return proper error codes Signed-off-by: James Almer --- libavformat/evc.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/libavformat/evc.c b/libavformat/evc.c index 9d0fe8d84c..287e5f8b28 100644 --- a/libavformat/evc.c +++ b/libavformat/evc.c @@ -88,17 +88,19 @@ static int evcc_parse_sps(const uint8_t *bs, int bs_size, EVCDecoderConfiguratio { GetBitContext gb; unsigned sps_seq_parameter_set_id; + int ret; bs += EVC_NALU_HEADER_SIZE; bs_size -= EVC_NALU_HEADER_SIZE; - if (init_get_bits8(&gb, bs, bs_size) < 0) - return 0; + ret = init_get_bits8(&gb, bs, bs_size); + if (ret < 0) + return ret; sps_seq_parameter_set_id = get_ue_golomb_31(&gb); if (sps_seq_parameter_set_id >= EVC_MAX_SPS_COUNT) - return 0; + return AVERROR_INVALIDDATA; // the Baseline profile is indicated by profile_idc eqal to 0 // the Main profile is indicated by profile_idc eqal to 1 @@ -114,12 +116,17 @@ static int evcc_parse_sps(const uint8_t *bs, int bs_size, EVCDecoderConfiguratio // 2 - 4:2:2 // 3 - 4:4:4 evcc->chroma_format_idc = get_ue_golomb_31(&gb); + if (evcc->chroma_format_idc > 3) + return AVERROR_INVALIDDATA; evcc->pic_width_in_luma_samples = get_ue_golomb_long(&gb); evcc->pic_height_in_luma_samples = get_ue_golomb_long(&gb); evcc->bit_depth_luma_minus8 = get_ue_golomb_31(&gb); evcc->bit_depth_chroma_minus8 = get_ue_golomb_31(&gb); + // EVCDecoderConfigurationRecord can't store values > 7. Limit it to bit depth 14. + if (evcc->bit_depth_luma_minus8 > 6 || evcc->bit_depth_chroma_minus8 > 6) + return AVERROR_INVALIDDATA; return 0; }