libs: decoder: h265: untaint loop control variable

Coverity scan bug:

Scalars (for example, integers) are not properly
bounds-checked (sanitized) before being used as array or pointer
indexes, loop boundaries, or function arguments are considered as
tainted.

In this case, num_nals were not checked before used as loop control.

diff --git a/gst-libs/gst/vaapi/gstvaapidecoder_h265.c b/gst-libs/gst/vaapi/gstvaapidecoder_h265.c
index 9759dd97c22ae6df2ea8164fb165d13218d6d8bb..3da14e6b7d01e6d4e78a068a8140cacc848254fc 100644 (file)
--- a/gst-libs/gst/vaapi/gstvaapidecoder_h265.c
+++ b/gst-libs/gst/vaapi/gstvaapidecoder_h265.c
@@ -2664,7 +2664,17 @@ gst_vaapi_decoder_h265_decode_codec_data (GstVaapiDecoder *
   num_nal_arrays = buf[22];
   ofs = 23;
   for (i = 0; i < num_nal_arrays; i++) {
-    num_nals = GST_READ_UINT16_BE (buf + ofs + 1);
+    const guchar *data;
+
+    if (ofs + 1 > buf_size)
+      return GST_VAAPI_DECODER_STATUS_ERROR_NO_DATA;
+    data = buf + ofs + 1;
+    if (!data)
+      return GST_VAAPI_DECODER_STATUS_ERROR_NO_DATA;
+    num_nals = GST_READ_UINT16_BE (data);
+    /* the max number of nals is GST_H265_MAX_PPS_COUNT (64) */
+    if (num_nals > 64)
+      return GST_VAAPI_DECODER_STATUS_ERROR_BITSTREAM_PARSER;
     ofs += 3;
 
     for (j = 0; j < num_nals; j++) {