avcodec/hevc_ps: More completely check vps_num_layer_sets
authorMichael Niedermayer <michaelni@gmx.at>
Wed, 13 May 2015 11:35:37 +0000 (13:35 +0200)
committerMichael Niedermayer <michaelni@gmx.at>
Fri, 15 May 2015 08:04:51 +0000 (10:04 +0200)
Fixes CID1239052  part1

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 16c95b107365cdbfcde1945370b59fc7e17e0309)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
libavcodec/hevc_ps.c

index 075a4bd..ffd65c4 100644 (file)
@@ -424,7 +424,8 @@ int ff_hevc_decode_nal_vps(HEVCContext *s)
 
     vps->vps_max_layer_id   = get_bits(gb, 6);
     vps->vps_num_layer_sets = get_ue_golomb_long(gb) + 1;
-    if ((vps->vps_num_layer_sets - 1LL) * (vps->vps_max_layer_id + 1LL) > get_bits_left(gb)) {
+    if (vps->vps_num_layer_sets < 1 || vps->vps_num_layer_sets > 1024 ||
+        (vps->vps_num_layer_sets - 1LL) * (vps->vps_max_layer_id + 1LL) > get_bits_left(gb)) {
         av_log(s->avctx, AV_LOG_ERROR, "too many layer_id_included_flags\n");
         goto err;
     }