avcodec/cbs_h2645: Fix potential out-of-bounds array access

The maximum allowed index for an array access is FF_ARRAY_ELEMS - 1; yet the current code allowed FF_ARRAY_ELEMS. This wasn't dangerous in practice, as parameter sets with invalid ids were already filtered out during reading. Found via PVS-Studio (see ticket #8156). Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com> (cherry picked from commit f3333c3c)

avcodec/cbs_h2645: Fix potential out-of-bounds array access
The maximum allowed index for an array access is FF_ARRAY_ELEMS - 1; yet the current code allowed FF_ARRAY_ELEMS. This wasn't dangerous in practice, as parameter sets with invalid ids were already filtered out during reading. Found via PVS-Studio (see ticket #8156). Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@gmail.com> (cherry picked from commit f3333c3c)
ca045893 · Andreas Rheinhardt · d2f5691e · ca045893
Commit ca045893 authored Sep 18, 2019 by Andreas Rheinhardt
Hide whitespace changes
Inline Side-by-side

Showing with 1 addition and 1 deletion

cbs_h2645.c libavcodec/cbs_h2645.c +1 -1

No files found.
--- a/libavcodec/cbs_h2645.c
+++ b/libavcodec/cbs_h2645.c
@@ -751,7 +751,7 @@ static int cbs_h26 ## h26n ## _replace_ ## ps_var(CodedBitstreamContext *ctx, \
    CodedBitstreamH26 ## h26n ## Context *priv = ctx->priv_data; \
    H26 ## h26n ## Raw ## ps_name *ps_var = unit->content; \
    unsigned int id = ps_var->id_element; \
-    if (id > FF_ARRAY_ELEMS(priv->ps_var)) { \
+    if (id >= FF_ARRAY_ELEMS(priv->ps_var)) { \
        av_log(ctx->log_ctx, AV_LOG_ERROR, "Invalid " #ps_name \
               " id : %d.\n", id); \
        return AVERROR_INVALIDDATA; \