Commit 2d71ad49 authored by Seungha Yang's avatar Seungha Yang 🐑 Committed by Nicolas Dufresne

h265parser: Fix possible invalid memory access

... and do more strict validation for num_tile_columns_minus1 and
num_tile_rows_minus1.

As per specification Table A.8, allowed maximum number of tile rows
and tile columns are 22 and 20, respectively. So we should adjust the size
of each array.

Part-of: <!1372>
parent 495ed45d
Pipeline #176806 waiting for manual action with stages
in 53 seconds
......@@ -2164,8 +2164,23 @@ gst_h265_parse_pps (GstH265Parser * parser, GstH265NalUnit * nalu,
READ_UINT8 (&nr, pps->entropy_coding_sync_enabled_flag, 1);
if (pps->tiles_enabled_flag) {
READ_UE_ALLOWED (&nr, pps->num_tile_columns_minus1, 0, 19);
READ_UE_ALLOWED (&nr, pps->num_tile_rows_minus1, 0, 21);
READ_UE_ALLOWED (&nr,
pps->num_tile_columns_minus1, 0, pps->PicWidthInCtbsY - 1);
READ_UE_ALLOWED (&nr,
pps->num_tile_rows_minus1, 0, pps->PicHeightInCtbsY - 1);
if (pps->num_tile_columns_minus1 + 1 >
G_N_ELEMENTS (pps->column_width_minus1)) {
GST_WARNING ("Invalid \"num_tile_columns_minus1\" %d",
pps->num_tile_columns_minus1);
goto error;
}
if (pps->num_tile_rows_minus1 + 1 > G_N_ELEMENTS (pps->row_height_minus1)) {
GST_WARNING ("Invalid \"num_tile_rows_minus1\" %d",
pps->num_tile_rows_minus1);
goto error;
}
READ_UINT8 (&nr, pps->uniform_spacing_flag, 1);
/* 6.5.1, 6-4, 6-5, 7.4.3.3.1 */
......
......@@ -1229,8 +1229,8 @@ struct _GstH265PPS
guint8 num_tile_columns_minus1;
guint8 num_tile_rows_minus1;
guint8 uniform_spacing_flag;
guint32 column_width_minus1[19];
guint32 row_height_minus1[21];
guint32 column_width_minus1[20];
guint32 row_height_minus1[22];
guint8 loop_filter_across_tiles_enabled_flag;
guint8 loop_filter_across_slices_enabled_flag;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment