From: Luca Barbato Date: Sat, 11 Jan 2014 19:13:20 +0000 (+0100) Subject: hevc: Bound check slice_qp X-Git-Tag: android-x86-6.0-r1~10^2~2306 X-Git-Url: http://git.osdn.net/view?a=commitdiff_plain;h=0d999333f96a34903448579bf13a3209deaee9da;p=android-x86%2Fexternal-ffmpeg.git hevc: Bound check slice_qp The T-REC-H.265-2013044 page 79 states it has to be in the range [-s->sps->qp_bd_offset, 51]. Sample-Id: 00001386-google Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org --- diff --git a/libavcodec/hevc.c b/libavcodec/hevc.c index 01d3a7758c..9c47a73b4b 100644 --- a/libavcodec/hevc.c +++ b/libavcodec/hevc.c @@ -703,6 +703,7 @@ static int hls_slice_header(HEVCContext *s) } sh->slice_qp_delta = get_se_golomb(gb); + if (s->pps->pic_slice_level_chroma_qp_offsets_present_flag) { sh->slice_cb_qp_offset = get_se_golomb(gb); sh->slice_cr_qp_offset = get_se_golomb(gb); @@ -765,7 +766,17 @@ static int hls_slice_header(HEVCContext *s) } // Inferred parameters - sh->slice_qp = 26 + s->pps->pic_init_qp_minus26 + sh->slice_qp_delta; + sh->slice_qp = 26 + s->pps->pic_init_qp_minus26 + sh->slice_qp_delta; + if (sh->slice_qp > 51 || + sh->slice_qp < -s->sps->qp_bd_offset) { + av_log(s->avctx, AV_LOG_ERROR, + "The slice_qp %d is outside the valid range " + "[%d, 51].\n", + sh->slice_qp, + -s->sps->qp_bd_offset); + return AVERROR_INVALIDDATA; + } + sh->slice_ctb_addr_rs = sh->slice_segment_addr; s->HEVClc.first_qp_group = !s->sh.dependent_slice_segment_flag;