From d879664a0ad55a65f8604be3a44375bc1117633b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?V=C3=ADctor=20Manuel=20J=C3=A1quez=20Leal?=
 <vjaquez@igalia.com>
Date: Tue, 8 Aug 2017 15:38:16 +0200
Subject: [PATCH] libs: decoder: h265: untaint loop control variable

Coverity scan bug:

Scalars (for example, integers) are not properly
bounds-checked (sanitized) before being used as array or pointer
indexes, loop boundaries, or function arguments are considered as
tainted.

In this case, num_nals were not checked before used as loop control.
---
 gst-libs/gst/vaapi/gstvaapidecoder_h265.c | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/gst-libs/gst/vaapi/gstvaapidecoder_h265.c b/gst-libs/gst/vaapi/gstvaapidecoder_h265.c
index 9759dd97c2..3da14e6b7d 100644
--- a/gst-libs/gst/vaapi/gstvaapidecoder_h265.c
+++ b/gst-libs/gst/vaapi/gstvaapidecoder_h265.c
@@ -2664,7 +2664,17 @@ gst_vaapi_decoder_h265_decode_codec_data (GstVaapiDecoder *
   num_nal_arrays = buf[22];
   ofs = 23;
   for (i = 0; i < num_nal_arrays; i++) {
-    num_nals = GST_READ_UINT16_BE (buf + ofs + 1);
+    const guchar *data;
+
+    if (ofs + 1 > buf_size)
+      return GST_VAAPI_DECODER_STATUS_ERROR_NO_DATA;
+    data = buf + ofs + 1;
+    if (!data)
+      return GST_VAAPI_DECODER_STATUS_ERROR_NO_DATA;
+    num_nals = GST_READ_UINT16_BE (data);
+    /* the max number of nals is GST_H265_MAX_PPS_COUNT (64) */
+    if (num_nals > 64)
+      return GST_VAAPI_DECODER_STATUS_ERROR_BITSTREAM_PARSER;
     ofs += 3;
 
     for (j = 0; j < num_nals; j++) {