summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorVíctor Manuel Jáquez Leal <vjaquez@igalia.com>2017-08-08 15:38:16 +0200
committerVíctor Manuel Jáquez Leal <vjaquez@igalia.com>2017-08-24 13:04:22 +0200
commit99fe63063d83a73baec43ad6c782ce0f38664f38 (patch)
tree276f56cab71d3b4e9522f393196aee6c976a1414
parentdc8964b907cfe0b868ee06bd5e737c57c0de1ee5 (diff)
libs: decoder: h265: untaint loop control variable
Coverity scan bug: Scalars (for example, integers) are not properly bounds-checked (sanitized) before being used as array or pointer indexes, loop boundaries, or function arguments are considered as tainted. In this case, num_nals were not checked before used as loop control.
-rw-r--r--gst-libs/gst/vaapi/gstvaapidecoder_h265.c12
1 files changed, 11 insertions, 1 deletions
diff --git a/gst-libs/gst/vaapi/gstvaapidecoder_h265.c b/gst-libs/gst/vaapi/gstvaapidecoder_h265.c
index 15be632b..37228256 100644
--- a/gst-libs/gst/vaapi/gstvaapidecoder_h265.c
+++ b/gst-libs/gst/vaapi/gstvaapidecoder_h265.c
@@ -2664,7 +2664,17 @@ gst_vaapi_decoder_h265_decode_codec_data (GstVaapiDecoder *
num_nal_arrays = buf[22];
ofs = 23;
for (i = 0; i < num_nal_arrays; i++) {
- num_nals = GST_READ_UINT16_BE (buf + ofs + 1);
+ const guchar *data;
+
+ if (ofs + 1 > buf_size)
+ return GST_VAAPI_DECODER_STATUS_ERROR_NO_DATA;
+ data = buf + ofs + 1;
+ if (!data)
+ return GST_VAAPI_DECODER_STATUS_ERROR_NO_DATA;
+ num_nals = GST_READ_UINT16_BE (data);
+ /* the max number of nals is GST_H265_MAX_PPS_COUNT (64) */
+ if (num_nals > 64)
+ return GST_VAAPI_DECODER_STATUS_ERROR_BITSTREAM_PARSER;
ofs += 3;
for (j = 0; j < num_nals; j++) {