Commit ca045893 authored by Andreas Rheinhardt's avatar Andreas Rheinhardt

avcodec/cbs_h2645: Fix potential out-of-bounds array access

The maximum allowed index for an array access is FF_ARRAY_ELEMS - 1; yet
the current code allowed FF_ARRAY_ELEMS. This wasn't dangerous in practice,
as parameter sets with invalid ids were already filtered out during
reading.

Found via PVS-Studio (see ticket #8156).
Signed-off-by: 's avatarAndreas Rheinhardt <andreas.rheinhardt@gmail.com>
(cherry picked from commit f3333c3c)
parent d2f5691e
......@@ -751,7 +751,7 @@ static int cbs_h26 ## h26n ## _replace_ ## ps_var(CodedBitstreamContext *ctx, \
CodedBitstreamH26 ## h26n ## Context *priv = ctx->priv_data; \
H26 ## h26n ## Raw ## ps_name *ps_var = unit->content; \
unsigned int id = ps_var->id_element; \
if (id > FF_ARRAY_ELEMS(priv->ps_var)) { \
if (id >= FF_ARRAY_ELEMS(priv->ps_var)) { \
av_log(ctx->log_ctx, AV_LOG_ERROR, "Invalid " #ps_name \
" id : %d.\n", id); \
return AVERROR_INVALIDDATA; \
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment