From 2d71ad49f8dcd5ec72fadb9436484b3fcb3bf27c Mon Sep 17 00:00:00 2001 From: Seungha Yang Date: Thu, 25 Jun 2020 17:51:11 +0900 Subject: [PATCH] h265parser: Fix possible invalid memory access ... and do more strict validation for num_tile_columns_minus1 and num_tile_rows_minus1. As per specification Table A.8, allowed maximum number of tile rows and tile columns are 22 and 20, respectively. So we should adjust the size of each array. Part-of: --- gst-libs/gst/codecparsers/gsth265parser.c | 19 +++++++++++++++++-- gst-libs/gst/codecparsers/gsth265parser.h | 4 ++-- 2 files changed, 19 insertions(+), 4 deletions(-) diff --git a/gst-libs/gst/codecparsers/gsth265parser.c b/gst-libs/gst/codecparsers/gsth265parser.c index e63215dcd1..26e68b276e 100644 --- a/gst-libs/gst/codecparsers/gsth265parser.c +++ b/gst-libs/gst/codecparsers/gsth265parser.c @@ -2164,8 +2164,23 @@ gst_h265_parse_pps (GstH265Parser * parser, GstH265NalUnit * nalu, READ_UINT8 (&nr, pps->entropy_coding_sync_enabled_flag, 1); if (pps->tiles_enabled_flag) { - READ_UE_ALLOWED (&nr, pps->num_tile_columns_minus1, 0, 19); - READ_UE_ALLOWED (&nr, pps->num_tile_rows_minus1, 0, 21); + READ_UE_ALLOWED (&nr, + pps->num_tile_columns_minus1, 0, pps->PicWidthInCtbsY - 1); + READ_UE_ALLOWED (&nr, + pps->num_tile_rows_minus1, 0, pps->PicHeightInCtbsY - 1); + + if (pps->num_tile_columns_minus1 + 1 > + G_N_ELEMENTS (pps->column_width_minus1)) { + GST_WARNING ("Invalid \"num_tile_columns_minus1\" %d", + pps->num_tile_columns_minus1); + goto error; + } + + if (pps->num_tile_rows_minus1 + 1 > G_N_ELEMENTS (pps->row_height_minus1)) { + GST_WARNING ("Invalid \"num_tile_rows_minus1\" %d", + pps->num_tile_rows_minus1); + goto error; + } READ_UINT8 (&nr, pps->uniform_spacing_flag, 1); /* 6.5.1, 6-4, 6-5, 7.4.3.3.1 */ diff --git a/gst-libs/gst/codecparsers/gsth265parser.h b/gst-libs/gst/codecparsers/gsth265parser.h index 021e89fb44..073123d7c1 100644 --- a/gst-libs/gst/codecparsers/gsth265parser.h +++ b/gst-libs/gst/codecparsers/gsth265parser.h @@ -1229,8 +1229,8 @@ struct _GstH265PPS guint8 num_tile_columns_minus1; guint8 num_tile_rows_minus1; guint8 uniform_spacing_flag; - guint32 column_width_minus1[19]; - guint32 row_height_minus1[21]; + guint32 column_width_minus1[20]; + guint32 row_height_minus1[22]; guint8 loop_filter_across_tiles_enabled_flag; guint8 loop_filter_across_slices_enabled_flag;