[FFmpeg-devel] [PATCH] hevc: validate slice address length

Andreas Cadhalpun andreas.cadhalpun at googlemail.com
Fri Jul 10 19:49:36 CEST 2015


It is used as get_bits argument and reading 0 bits doesn't make sense.

Signed-off-by: Andreas Cadhalpun <Andreas.Cadhalpun at googlemail.com>
---
 libavcodec/hevc.c        | 6 ++++++
 libavcodec/hevc_parser.c | 6 ++++++
 2 files changed, 12 insertions(+)

diff --git a/libavcodec/hevc.c b/libavcodec/hevc.c
index 38734f0..d47af16 100644
--- a/libavcodec/hevc.c
+++ b/libavcodec/hevc.c
@@ -459,6 +459,12 @@ static int hls_slice_header(HEVCContext *s)
 
         slice_address_length = av_ceil_log2(s->sps->ctb_width *
                                             s->sps->ctb_height);
+        if (slice_address_length <= 0) {
+            av_log(s->avctx, AV_LOG_ERROR,
+                   "Invalid slice address length: %d\n",
+                   slice_address_length);
+            return AVERROR_INVALIDDATA;
+        }
         sh->slice_segment_addr = get_bits(gb, slice_address_length);
         if (sh->slice_segment_addr >= s->sps->ctb_width * s->sps->ctb_height) {
             av_log(s->avctx, AV_LOG_ERROR,
diff --git a/libavcodec/hevc_parser.c b/libavcodec/hevc_parser.c
index 3c7c3c3..3025e4d 100644
--- a/libavcodec/hevc_parser.c
+++ b/libavcodec/hevc_parser.c
@@ -200,6 +200,12 @@ static inline int parse_nal_units(AVCodecParserContext *s, AVCodecContext *avctx
 
                 slice_address_length = av_ceil_log2_c(h->sps->ctb_width *
                                                       h->sps->ctb_height);
+                if (slice_address_length <= 0) {
+                    av_log(h->avctx, AV_LOG_ERROR,
+                           "Invalid slice address length: %d\n",
+                           slice_address_length);
+                    return AVERROR_INVALIDDATA;
+                }
                 sh->slice_segment_addr = get_bits(gb, slice_address_length);
                 if (sh->slice_segment_addr >= h->sps->ctb_width * h->sps->ctb_height) {
                     av_log(h->avctx, AV_LOG_ERROR, "Invalid slice segment address: %u.\n",
-- 
2.1.4


More information about the ffmpeg-devel mailing list