mirror of
https://gitlab.freedesktop.org/gstreamer/gstreamer.git
synced 2024-09-08 21:28:45 +00:00
h265parser: Fix possible invalid memory access
... and do more strict validation for num_tile_columns_minus1 and num_tile_rows_minus1. As per specification Table A.8, allowed maximum number of tile rows and tile columns are 22 and 20, respectively. So we should adjust the size of each array. Part-of: <https://gitlab.freedesktop.org/gstreamer/gst-plugins-bad/-/merge_requests/1372>
This commit is contained in:
parent
495ed45d05
commit
2d71ad49f8
2 changed files with 19 additions and 4 deletions
|
@ -2164,8 +2164,23 @@ gst_h265_parse_pps (GstH265Parser * parser, GstH265NalUnit * nalu,
|
||||||
READ_UINT8 (&nr, pps->entropy_coding_sync_enabled_flag, 1);
|
READ_UINT8 (&nr, pps->entropy_coding_sync_enabled_flag, 1);
|
||||||
|
|
||||||
if (pps->tiles_enabled_flag) {
|
if (pps->tiles_enabled_flag) {
|
||||||
READ_UE_ALLOWED (&nr, pps->num_tile_columns_minus1, 0, 19);
|
READ_UE_ALLOWED (&nr,
|
||||||
READ_UE_ALLOWED (&nr, pps->num_tile_rows_minus1, 0, 21);
|
pps->num_tile_columns_minus1, 0, pps->PicWidthInCtbsY - 1);
|
||||||
|
READ_UE_ALLOWED (&nr,
|
||||||
|
pps->num_tile_rows_minus1, 0, pps->PicHeightInCtbsY - 1);
|
||||||
|
|
||||||
|
if (pps->num_tile_columns_minus1 + 1 >
|
||||||
|
G_N_ELEMENTS (pps->column_width_minus1)) {
|
||||||
|
GST_WARNING ("Invalid \"num_tile_columns_minus1\" %d",
|
||||||
|
pps->num_tile_columns_minus1);
|
||||||
|
goto error;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (pps->num_tile_rows_minus1 + 1 > G_N_ELEMENTS (pps->row_height_minus1)) {
|
||||||
|
GST_WARNING ("Invalid \"num_tile_rows_minus1\" %d",
|
||||||
|
pps->num_tile_rows_minus1);
|
||||||
|
goto error;
|
||||||
|
}
|
||||||
|
|
||||||
READ_UINT8 (&nr, pps->uniform_spacing_flag, 1);
|
READ_UINT8 (&nr, pps->uniform_spacing_flag, 1);
|
||||||
/* 6.5.1, 6-4, 6-5, 7.4.3.3.1 */
|
/* 6.5.1, 6-4, 6-5, 7.4.3.3.1 */
|
||||||
|
|
|
@ -1229,8 +1229,8 @@ struct _GstH265PPS
|
||||||
guint8 num_tile_columns_minus1;
|
guint8 num_tile_columns_minus1;
|
||||||
guint8 num_tile_rows_minus1;
|
guint8 num_tile_rows_minus1;
|
||||||
guint8 uniform_spacing_flag;
|
guint8 uniform_spacing_flag;
|
||||||
guint32 column_width_minus1[19];
|
guint32 column_width_minus1[20];
|
||||||
guint32 row_height_minus1[21];
|
guint32 row_height_minus1[22];
|
||||||
guint8 loop_filter_across_tiles_enabled_flag;
|
guint8 loop_filter_across_tiles_enabled_flag;
|
||||||
|
|
||||||
guint8 loop_filter_across_slices_enabled_flag;
|
guint8 loop_filter_across_slices_enabled_flag;
|
||||||
|
|
Loading…
Reference in a new issue