avcodec/hevc_refs: Check nb_refs in add_candidate_ref()
authorMichael Niedermayer <michael@niedermayer.cc>
Wed, 14 Jun 2017 23:26:01 +0000 (01:26 +0200)
committerMichael Niedermayer <michael@niedermayer.cc>
Thu, 15 Jun 2017 01:09:40 +0000 (03:09 +0200)
Fixes: runtime error: index 16 out of bounds for type 'int [16]'
Fixes: 2209/clusterfuzz-testcase-minimized-5012343912136704

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
libavcodec/hevc_refs.c

index f9818c9..68c730e 100644 (file)
@@ -431,7 +431,7 @@ static int add_candidate_ref(HEVCContext *s, RefPicList *list,
 {
     HEVCFrame *ref = find_ref_idx(s, poc);
 
-    if (ref == s->ref)
+    if (ref == s->ref || list->nb_refs >= HEVC_MAX_REFS)
         return AVERROR_INVALIDDATA;
 
     if (!ref) {