diff options
| author | Seungha Yang <seungha@centricular.com> | 2020-06-25 19:26:45 +0900 |
|---|---|---|
| committer | GStreamer Merge Bot <gitlab-merge-bot@gstreamer-foundation.org> | 2020-06-25 13:58:57 +0000 |
| commit | 48ca7c7e93ab8001eb506c0fb05cf1c7a9f16b0d (patch) | |
| tree | 16823bb1b923e9e5748ad93941a5b1a7bc50e1bc /sys/nvcodec | |
| parent | 290d0432c3d12d69c43f96a7141b8bf0ae83bf46 (diff) | |
| download | gstreamer-plugins-bad-48ca7c7e93ab8001eb506c0fb05cf1c7a9f16b0d.tar.gz | |
nvh265sldec: Fix possible invalid memory access
Fix Coverity issues.
CID 1464959, 1464960, 1464961, 1464962
Part-of: <https://gitlab.freedesktop.org/gstreamer/gst-plugins-bad/-/merge_requests/1374>
Diffstat (limited to 'sys/nvcodec')
| -rw-r--r-- | sys/nvcodec/gstnvh265dec.c | 47 |
1 files changed, 31 insertions, 16 deletions
diff --git a/sys/nvcodec/gstnvh265dec.c b/sys/nvcodec/gstnvh265dec.c index 62575b03b..c491f3a53 100644 --- a/sys/nvcodec/gstnvh265dec.c +++ b/sys/nvcodec/gstnvh265dec.c @@ -602,26 +602,41 @@ gst_nv_h265_dec_picture_params_from_pps (GstNvH265Dec * self, COPY_FIELD_WITH_PREFIX (tc_offset_div2); COPY_FIELD (tiles_enabled_flag); COPY_FIELD (uniform_spacing_flag); - COPY_FIELD (num_tile_columns_minus1); - COPY_FIELD (num_tile_rows_minus1); - if (pps->num_tile_columns_minus1 > G_N_ELEMENTS (params->column_width_minus1)) { - GST_ERROR_OBJECT (self, - "Too large column_width_minus1 %d", pps->num_tile_columns_minus1); - return FALSE; - } + if (pps->tiles_enabled_flag) { + guint num_tile_columns; + guint num_tile_rows; - if (pps->num_tile_rows_minus1 > G_N_ELEMENTS (params->row_height_minus1)) { - GST_ERROR_OBJECT (self, - "Too large num_tile_rows_minus1 %d", pps->num_tile_rows_minus1); - return FALSE; - } + COPY_FIELD (num_tile_columns_minus1); + COPY_FIELD (num_tile_rows_minus1); + + if (pps->num_tile_columns_minus1 > + G_N_ELEMENTS (params->column_width_minus1)) { + GST_ERROR_OBJECT (self, + "Too large column_width_minus1 %d", pps->num_tile_columns_minus1); + return FALSE; + } - for (i = 0; i < pps->num_tile_columns_minus1 + 1; i++) - COPY_FIELD (column_width_minus1[i]); + if (pps->num_tile_rows_minus1 > G_N_ELEMENTS (params->row_height_minus1)) { + GST_ERROR_OBJECT (self, + "Too large num_tile_rows_minus1 %d", pps->num_tile_rows_minus1); + return FALSE; + } - for (i = 0; i < pps->num_tile_rows_minus1 + 1; i++) - COPY_FIELD (row_height_minus1[i]); + /* XXX: The size of column_width_minus1 array in CUVIDHEVCPICPARAMS struct + * is 21 which is inconsistent with the spec. + * Just copy values as many as possible */ + num_tile_columns = MIN (pps->num_tile_columns_minus1, + G_N_ELEMENTS (pps->column_width_minus1)); + num_tile_rows = MIN (pps->num_tile_rows_minus1, + G_N_ELEMENTS (pps->row_height_minus1)); + + for (i = 0; i < num_tile_columns; i++) + COPY_FIELD (column_width_minus1[i]); + + for (i = 0; i < num_tile_rows; i++) + COPY_FIELD (row_height_minus1[i]); + } COPY_FIELD (pps_range_extension_flag); if (pps->pps_range_extension_flag) { |