diff options
| author | Seungha Yang <seungha@centricular.com> | 2020-06-25 17:51:11 +0900 |
|---|---|---|
| committer | Nicolas Dufresne <nicolas@ndufresne.ca> | 2020-07-14 16:34:46 +0000 |
| commit | 2d71ad49f8dcd5ec72fadb9436484b3fcb3bf27c (patch) | |
| tree | d52bc9e27caf8baf1c244b3fc97c4daf69c64092 /gst-libs | |
| parent | 495ed45d056cc4ae88c95b5587732d87382e93a1 (diff) | |
| download | gstreamer-plugins-bad-2d71ad49f8dcd5ec72fadb9436484b3fcb3bf27c.tar.gz | |
h265parser: Fix possible invalid memory access
... and do more strict validation for num_tile_columns_minus1 and
num_tile_rows_minus1.
As per specification Table A.8, allowed maximum number of tile rows
and tile columns are 22 and 20, respectively. So we should adjust the size
of each array.
Part-of: <https://gitlab.freedesktop.org/gstreamer/gst-plugins-bad/-/merge_requests/1372>
Diffstat (limited to 'gst-libs')
| -rw-r--r-- | gst-libs/gst/codecparsers/gsth265parser.c | 19 | ||||
| -rw-r--r-- | gst-libs/gst/codecparsers/gsth265parser.h | 4 |
2 files changed, 19 insertions, 4 deletions
diff --git a/gst-libs/gst/codecparsers/gsth265parser.c b/gst-libs/gst/codecparsers/gsth265parser.c index e63215dcd..26e68b276 100644 --- a/gst-libs/gst/codecparsers/gsth265parser.c +++ b/gst-libs/gst/codecparsers/gsth265parser.c @@ -2164,8 +2164,23 @@ gst_h265_parse_pps (GstH265Parser * parser, GstH265NalUnit * nalu, READ_UINT8 (&nr, pps->entropy_coding_sync_enabled_flag, 1); if (pps->tiles_enabled_flag) { - READ_UE_ALLOWED (&nr, pps->num_tile_columns_minus1, 0, 19); - READ_UE_ALLOWED (&nr, pps->num_tile_rows_minus1, 0, 21); + READ_UE_ALLOWED (&nr, + pps->num_tile_columns_minus1, 0, pps->PicWidthInCtbsY - 1); + READ_UE_ALLOWED (&nr, + pps->num_tile_rows_minus1, 0, pps->PicHeightInCtbsY - 1); + + if (pps->num_tile_columns_minus1 + 1 > + G_N_ELEMENTS (pps->column_width_minus1)) { + GST_WARNING ("Invalid \"num_tile_columns_minus1\" %d", + pps->num_tile_columns_minus1); + goto error; + } + + if (pps->num_tile_rows_minus1 + 1 > G_N_ELEMENTS (pps->row_height_minus1)) { + GST_WARNING ("Invalid \"num_tile_rows_minus1\" %d", + pps->num_tile_rows_minus1); + goto error; + } READ_UINT8 (&nr, pps->uniform_spacing_flag, 1); /* 6.5.1, 6-4, 6-5, 7.4.3.3.1 */ diff --git a/gst-libs/gst/codecparsers/gsth265parser.h b/gst-libs/gst/codecparsers/gsth265parser.h index 021e89fb4..073123d7c 100644 --- a/gst-libs/gst/codecparsers/gsth265parser.h +++ b/gst-libs/gst/codecparsers/gsth265parser.h @@ -1229,8 +1229,8 @@ struct _GstH265PPS guint8 num_tile_columns_minus1; guint8 num_tile_rows_minus1; guint8 uniform_spacing_flag; - guint32 column_width_minus1[19]; - guint32 row_height_minus1[21]; + guint32 column_width_minus1[20]; + guint32 row_height_minus1[22]; guint8 loop_filter_across_tiles_enabled_flag; guint8 loop_filter_across_slices_enabled_flag; |