avformat/hevc: Check cpb_cnt_minus1
authorMichael Niedermayer <michaelni@gmx.at>
Tue, 12 May 2015 17:09:06 +0000 (19:09 +0200)
committerMichael Niedermayer <michaelni@gmx.at>
Fri, 15 May 2015 08:04:51 +0000 (10:04 +0200)
Fixes CID1239014

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 2cddc0b19a20dd061dbf199bf88005b37c540d2f)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
libavformat/hevc.c

index 45b00c4..8ef3c1f 100644 (file)
@@ -189,7 +189,7 @@ static void skip_sub_layer_hrd_parameters(GetBitContext *gb,
     }
 }
 
-static void skip_hrd_parameters(GetBitContext *gb, uint8_t cprms_present_flag,
+static int skip_hrd_parameters(GetBitContext *gb, uint8_t cprms_present_flag,
                                 unsigned int max_sub_layers_minus1)
 {
     unsigned int i;
@@ -246,8 +246,11 @@ static void skip_hrd_parameters(GetBitContext *gb, uint8_t cprms_present_flag,
         else
             low_delay_hrd_flag = get_bits1(gb);
 
-        if (!low_delay_hrd_flag)
+        if (!low_delay_hrd_flag) {
             cpb_cnt_minus1 = get_ue_golomb_long(gb);
+            if (cpb_cnt_minus1 > 31)
+                return AVERROR_INVALIDDATA;
+        }
 
         if (nal_hrd_parameters_present_flag)
             skip_sub_layer_hrd_parameters(gb, cpb_cnt_minus1,
@@ -257,6 +260,8 @@ static void skip_hrd_parameters(GetBitContext *gb, uint8_t cprms_present_flag,
             skip_sub_layer_hrd_parameters(gb, cpb_cnt_minus1,
                                           sub_pic_hrd_params_present_flag);
     }
+
+    return 0;
 }
 
 static void skip_timing_info(GetBitContext *gb)