From 838740e6420538ad45982da6b1d3aa3ae91307f5 Mon Sep 17 00:00:00 2001 From: Luca Barbato Date: Sat, 11 Jan 2014 12:33:42 +0100 Subject: [PATCH] hevc: Prevent some integer overflows get_ue_golomb_long() returns an unsigned. Sample-Id: 00001541-google Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org --- libavcodec/hevc.c | 4 ++-- libavcodec/hevc.h | 4 ++-- libavcodec/hevc_ps.c | 12 ++++++------ 3 files changed, 10 insertions(+), 10 deletions(-) diff --git a/libavcodec/hevc.c b/libavcodec/hevc.c index d5175f5..01d3a77 100644 --- a/libavcodec/hevc.c +++ b/libavcodec/hevc.c @@ -338,7 +338,7 @@ static int decode_lt_rps(HEVCContext *s, LongTermRPS *rps, GetBitContext *gb) const HEVCSPS *sps = s->sps; int max_poc_lsb = 1 << sps->log2_max_poc_lsb; int prev_delta_msb = 0; - int nb_sps = 0, nb_sh; + unsigned int nb_sps = 0, nb_sh; int i; rps->nb_refs = 0; @@ -759,7 +759,7 @@ static int hls_slice_header(HEVCContext *s) } if (s->pps->slice_header_extension_present_flag) { - int length = get_ue_golomb_long(gb); + unsigned int length = get_ue_golomb_long(gb); for (i = 0; i < length; i++) skip_bits(gb, 8); // slice_header_extension_data_byte } diff --git a/libavcodec/hevc.h b/libavcodec/hevc.h index 6c99d9b..a674899 100644 --- a/libavcodec/hevc.h +++ b/libavcodec/hevc.h @@ -261,7 +261,7 @@ enum ScanType { }; typedef struct ShortTermRPS { - int num_negative_pics; + unsigned int num_negative_pics; int num_delta_pocs; int32_t delta_poc[32]; uint8_t used[32]; @@ -528,7 +528,7 @@ typedef struct HEVCPPS { } HEVCPPS; typedef struct SliceHeader { - int pps_id; + unsigned int pps_id; ///< address (in raster order) of the first block in the current slice segment unsigned int slice_segment_addr; diff --git a/libavcodec/hevc_ps.c b/libavcodec/hevc_ps.c index 829294f..0c1550e 100644 --- a/libavcodec/hevc_ps.c +++ b/libavcodec/hevc_ps.c @@ -93,7 +93,7 @@ int ff_hevc_decode_short_term_rps(HEVCContext *s, ShortTermRPS *rps, uint8_t delta_rps_sign; if (is_slice_header) { - int delta_idx = get_ue_golomb_long(gb) + 1; + unsigned int delta_idx = get_ue_golomb_long(gb) + 1; if (delta_idx > sps->nb_st_rps) { av_log(s->avctx, AV_LOG_ERROR, "Invalid value of delta_idx in slice header RPS: %d > %d.\n", @@ -244,7 +244,7 @@ static void parse_ptl(HEVCContext *s, PTL *ptl, int max_num_sub_layers) } } -static void decode_sublayer_hrd(HEVCContext *s, int nb_cpb, +static void decode_sublayer_hrd(HEVCContext *s, unsigned int nb_cpb, int subpic_params_present) { GetBitContext *gb = &s->HEVClc.gb; @@ -298,7 +298,7 @@ static void decode_hrd(HEVCContext *s, int common_inf_present, for (i = 0; i < max_sublayers; i++) { int low_delay = 0; - int nb_cpb = 1; + unsigned int nb_cpb = 1; int fixed_rate = get_bits1(gb); if (!fixed_rate) @@ -553,18 +553,18 @@ static int scaling_list_data(HEVCContext *s, ScalingList *sl) GetBitContext *gb = &s->HEVClc.gb; uint8_t scaling_list_pred_mode_flag[4][6]; int32_t scaling_list_dc_coef[2][6]; - int size_id, matrix_id, i, pos, delta; + int size_id, matrix_id, i, pos; for (size_id = 0; size_id < 4; size_id++) for (matrix_id = 0; matrix_id < (size_id == 3 ? 2 : 6); matrix_id++) { scaling_list_pred_mode_flag[size_id][matrix_id] = get_bits1(gb); if (!scaling_list_pred_mode_flag[size_id][matrix_id]) { - delta = get_ue_golomb_long(gb); + unsigned int delta = get_ue_golomb_long(gb); /* Only need to handle non-zero delta. Zero means default, * which should already be in the arrays. */ if (delta) { // Copy from previous array. - if (matrix_id - delta < 0) { + if (matrix_id < delta) { av_log(s->avctx, AV_LOG_ERROR, "Invalid delta in scaling list data: %d.\n", delta); return AVERROR_INVALIDDATA; -- 2.7.4