hevc: Prevent some integer overflows

get_ue_golomb_long() returns an unsigned.

Sample-Id: 00001541-google
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
pull/54/head
Luca Barbato 11 years ago
parent faf03ecba0
commit 838740e642
  1. 4
      libavcodec/hevc.c
  2. 4
      libavcodec/hevc.h
  3. 12
      libavcodec/hevc_ps.c

@ -338,7 +338,7 @@ static int decode_lt_rps(HEVCContext *s, LongTermRPS *rps, GetBitContext *gb)
const HEVCSPS *sps = s->sps; const HEVCSPS *sps = s->sps;
int max_poc_lsb = 1 << sps->log2_max_poc_lsb; int max_poc_lsb = 1 << sps->log2_max_poc_lsb;
int prev_delta_msb = 0; int prev_delta_msb = 0;
int nb_sps = 0, nb_sh; unsigned int nb_sps = 0, nb_sh;
int i; int i;
rps->nb_refs = 0; rps->nb_refs = 0;
@ -759,7 +759,7 @@ static int hls_slice_header(HEVCContext *s)
} }
if (s->pps->slice_header_extension_present_flag) { if (s->pps->slice_header_extension_present_flag) {
int length = get_ue_golomb_long(gb); unsigned int length = get_ue_golomb_long(gb);
for (i = 0; i < length; i++) for (i = 0; i < length; i++)
skip_bits(gb, 8); // slice_header_extension_data_byte skip_bits(gb, 8); // slice_header_extension_data_byte
} }

@ -261,7 +261,7 @@ enum ScanType {
}; };
typedef struct ShortTermRPS { typedef struct ShortTermRPS {
int num_negative_pics; unsigned int num_negative_pics;
int num_delta_pocs; int num_delta_pocs;
int32_t delta_poc[32]; int32_t delta_poc[32];
uint8_t used[32]; uint8_t used[32];
@ -528,7 +528,7 @@ typedef struct HEVCPPS {
} HEVCPPS; } HEVCPPS;
typedef struct SliceHeader { typedef struct SliceHeader {
int pps_id; unsigned int pps_id;
///< address (in raster order) of the first block in the current slice segment ///< address (in raster order) of the first block in the current slice segment
unsigned int slice_segment_addr; unsigned int slice_segment_addr;

@ -93,7 +93,7 @@ int ff_hevc_decode_short_term_rps(HEVCContext *s, ShortTermRPS *rps,
uint8_t delta_rps_sign; uint8_t delta_rps_sign;
if (is_slice_header) { if (is_slice_header) {
int delta_idx = get_ue_golomb_long(gb) + 1; unsigned int delta_idx = get_ue_golomb_long(gb) + 1;
if (delta_idx > sps->nb_st_rps) { if (delta_idx > sps->nb_st_rps) {
av_log(s->avctx, AV_LOG_ERROR, av_log(s->avctx, AV_LOG_ERROR,
"Invalid value of delta_idx in slice header RPS: %d > %d.\n", "Invalid value of delta_idx in slice header RPS: %d > %d.\n",
@ -244,7 +244,7 @@ static void parse_ptl(HEVCContext *s, PTL *ptl, int max_num_sub_layers)
} }
} }
static void decode_sublayer_hrd(HEVCContext *s, int nb_cpb, static void decode_sublayer_hrd(HEVCContext *s, unsigned int nb_cpb,
int subpic_params_present) int subpic_params_present)
{ {
GetBitContext *gb = &s->HEVClc.gb; GetBitContext *gb = &s->HEVClc.gb;
@ -298,7 +298,7 @@ static void decode_hrd(HEVCContext *s, int common_inf_present,
for (i = 0; i < max_sublayers; i++) { for (i = 0; i < max_sublayers; i++) {
int low_delay = 0; int low_delay = 0;
int nb_cpb = 1; unsigned int nb_cpb = 1;
int fixed_rate = get_bits1(gb); int fixed_rate = get_bits1(gb);
if (!fixed_rate) if (!fixed_rate)
@ -553,18 +553,18 @@ static int scaling_list_data(HEVCContext *s, ScalingList *sl)
GetBitContext *gb = &s->HEVClc.gb; GetBitContext *gb = &s->HEVClc.gb;
uint8_t scaling_list_pred_mode_flag[4][6]; uint8_t scaling_list_pred_mode_flag[4][6];
int32_t scaling_list_dc_coef[2][6]; int32_t scaling_list_dc_coef[2][6];
int size_id, matrix_id, i, pos, delta; int size_id, matrix_id, i, pos;
for (size_id = 0; size_id < 4; size_id++) for (size_id = 0; size_id < 4; size_id++)
for (matrix_id = 0; matrix_id < (size_id == 3 ? 2 : 6); matrix_id++) { for (matrix_id = 0; matrix_id < (size_id == 3 ? 2 : 6); matrix_id++) {
scaling_list_pred_mode_flag[size_id][matrix_id] = get_bits1(gb); scaling_list_pred_mode_flag[size_id][matrix_id] = get_bits1(gb);
if (!scaling_list_pred_mode_flag[size_id][matrix_id]) { if (!scaling_list_pred_mode_flag[size_id][matrix_id]) {
delta = get_ue_golomb_long(gb); unsigned int delta = get_ue_golomb_long(gb);
/* Only need to handle non-zero delta. Zero means default, /* Only need to handle non-zero delta. Zero means default,
* which should already be in the arrays. */ * which should already be in the arrays. */
if (delta) { if (delta) {
// Copy from previous array. // Copy from previous array.
if (matrix_id - delta < 0) { if (matrix_id < delta) {
av_log(s->avctx, AV_LOG_ERROR, av_log(s->avctx, AV_LOG_ERROR,
"Invalid delta in scaling list data: %d.\n", delta); "Invalid delta in scaling list data: %d.\n", delta);
return AVERROR_INVALIDDATA; return AVERROR_INVALIDDATA;

Loading…
Cancel
Save