From 117f593cff5b6ba5ef9d0d1100ede56c8756809c Mon Sep 17 00:00:00 2001
From: Seungha Yang <seungha@centricular.com>
Date: Thu, 25 Jun 2020 19:41:52 +0900
Subject: [PATCH] d3d11h265dec: Fix possible invalid memory access

The number of element to copy should be num_tile_columns_minus1
and num_tile_rows_minus1.

Part-of: <https://gitlab.freedesktop.org/gstreamer/gst-plugins-bad/-/merge_requests/1374>
---
 sys/d3d11/gstd3d11h265dec.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/sys/d3d11/gstd3d11h265dec.c b/sys/d3d11/gstd3d11h265dec.c
index 8dce255044..8121c6337b 100644
--- a/sys/d3d11/gstd3d11h265dec.c
+++ b/sys/d3d11/gstd3d11h265dec.c
@@ -958,10 +958,12 @@ gst_d3d11_h265_dec_picture_params_from_pps (GstD3D11H265Dec * self,
     COPY_FIELD (num_tile_columns_minus1);
     COPY_FIELD (num_tile_rows_minus1);
     if (!pps->uniform_spacing_flag) {
-      for (i = 0; i < pps->num_tile_columns_minus1 + 1; i++)
+      for (i = 0; i < pps->num_tile_columns_minus1 &&
+          i < G_N_ELEMENTS (params->column_width_minus1); i++)
         COPY_FIELD (column_width_minus1[i]);
 
-      for (i = 0; i < pps->num_tile_rows_minus1 + 1; i++)
+      for (i = 0; i < pps->num_tile_rows_minus1 &&
+          i < G_N_ELEMENTS (params->row_height_minus1); i++)
         COPY_FIELD (row_height_minus1[i]);
     }
   }