From 5ec85c9750f0770383b781acd6362a8bebbf4db6 Mon Sep 17 00:00:00 2001 From: Christophe Gisquet Date: Sun, 10 Aug 2014 19:22:06 +0200 Subject: [PATCH] hevc: do generic validation of bitstream After finishing parsing VPS/SPS/PPS/slice header, check remaining bits, and if an overconsumption occurred, report invalid data. Liked-by: BBB Signed-off-by: Michael Niedermayer --- libavcodec/hevc.c | 6 ++++++ libavcodec/hevc_ps.c | 18 ++++++++++++++++++ 2 files changed, 24 insertions(+) diff --git a/libavcodec/hevc.c b/libavcodec/hevc.c index 829b5d1969..3170d8496e 100644 --- a/libavcodec/hevc.c +++ b/libavcodec/hevc.c @@ -740,6 +740,12 @@ static int hls_slice_header(HEVCContext *s) return AVERROR_INVALIDDATA; } + if (get_bits_left(gb) < 0) { + av_log(s->avctx, AV_LOG_ERROR, + "Overread slice header by %d bits\n", -get_bits_left(gb)); + return AVERROR_INVALIDDATA; + } + s->HEVClc->first_qp_group = !s->sh.dependent_slice_segment_flag; if (!s->pps->cu_qp_delta_enabled_flag) diff --git a/libavcodec/hevc_ps.c b/libavcodec/hevc_ps.c index fe974bcbf2..163c5e4aab 100644 --- a/libavcodec/hevc_ps.c +++ b/libavcodec/hevc_ps.c @@ -452,6 +452,12 @@ int ff_hevc_decode_nal_vps(HEVCContext *s) } get_bits1(gb); /* vps_extension_flag */ + if (get_bits_left(gb) < 0) { + av_log(s->avctx, AV_LOG_ERROR, + "Overread VPS by %d bits\n", -get_bits_left(gb)); + goto err; + } + av_buffer_unref(&s->vps_list[vps_id]); s->vps_list[vps_id] = vps_buf; return 0; @@ -1050,6 +1056,12 @@ int ff_hevc_decode_nal_sps(HEVCContext *s) goto err; } + if (get_bits_left(gb) < 0) { + av_log(s->avctx, AV_LOG_ERROR, + "Overread SPS by %d bits\n", -get_bits_left(gb)); + goto err; + } + if (s->avctx->debug & FF_DEBUG_BITSTREAM) { av_log(s->avctx, AV_LOG_DEBUG, "Parsed SPS: id %d; coded wxh: %dx%d; " @@ -1473,6 +1485,12 @@ int ff_hevc_decode_nal_pps(HEVCContext *s) } } + if (get_bits_left(gb) < 0) { + av_log(s->avctx, AV_LOG_ERROR, + "Overread PPS by %d bits\n", -get_bits_left(gb)); + goto err; + } + av_buffer_unref(&s->pps_list[pps_id]); s->pps_list[pps_id] = pps_buf;