avcodec/hevc: Check offset_len
authorMichael Niedermayer <michaelni@gmx.at>
Wed, 13 May 2015 11:13:07 +0000 (13:13 +0200)
committerMichael Niedermayer <michaelni@gmx.at>
Mon, 1 Jun 2015 21:25:20 +0000 (23:25 +0200)
Fixes CID1239099 part 1

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 3e9d5e16ad9799f6b6faae4f21120d23146b84c9)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
libavcodec/hevc.c

index 4551bd4..8c6b1b5 100644 (file)
@@ -679,6 +679,13 @@ static int hls_slice_header(HEVCContext *s)
             int offset_len = get_ue_golomb_long(gb) + 1;
             int segments = offset_len >> 4;
             int rest = (offset_len & 15);
+
+            if (offset_len < 1 || offset_len > 32) {
+                sh->num_entry_point_offsets = 0;
+                av_log(s->avctx, AV_LOG_ERROR, "offset_len %d is invalid\n", offset_len);
+                return AVERROR_INVALIDDATA;
+            }
+
             av_freep(&sh->entry_point_offset);
             av_freep(&sh->offset);
             av_freep(&sh->size);