Skip to content

Commit

Permalink
add some array length checks for HEVC_ReferencePictureSets
Browse files Browse the repository at this point in the history 
ossfuzz issue 70890
  • Loading branch information
@aureliendavid
aureliendavid committed Aug 5, 2024
1 parent f69d386 commit ca6a0a3
Showing 1 changed file with 10 additions and 8 deletions.
18 changes: 10 additions & 8 deletions src/media_tools/av_parsers.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7232,7 +7232,7 @@ static void hevc_ref_pic_lists_modification(GF_BitStream *bs, HEVC_ReferencePict
if (slice_type == GF_HEVC_SLICE_TYPE_B) {
rps->modif_flag_l1 = gf_bs_read_int_log(bs, 1, "ref_pic_list_modification_flag_l1");
if (rps->modif_flag_l1) {
for (i=0; i<num_ref_idx_l1_active; i++) {
for (i=0; i<MIN(num_ref_idx_l1_active, GF_ARRAY_LENGTH(rps->modif_idx_l1)); i++) {
rps->modif_idx_l1[i] = gf_bs_read_int(bs, nb_bits);
}
}
Expand Down Expand Up @@ -7572,13 +7572,13 @@ static void gf_hevc_compute_ref_list(HEVCState *hevc, HEVCSliceInfo *si)
//build L0
s32 ref_pocs_l0[32];
u32 nb_poc_l0 = 0;
for (i=0; i<nb_poc_st_curr0; i++, nb_poc_l0++) {
for (i=0; i<MIN(nb_poc_st_curr0, GF_ARRAY_LENGTH(ref_pocs_l0)); i++, nb_poc_l0++) {
ref_pocs_l0[nb_poc_l0] = poc_st_curr0[i];
}
for ( i=0; i<nb_poc_st_curr1; i++, nb_poc_l0++) {
for ( i=0; i<MIN(nb_poc_st_curr1, GF_ARRAY_LENGTH(ref_pocs_l0)); i++, nb_poc_l0++) {
ref_pocs_l0[nb_poc_l0] = poc_st_curr1[i];
}
for (i=0; i<nb_poc_lt_curr; i++, nb_poc_l0++) {
for (i=0; i<MIN(nb_poc_lt_curr, GF_ARRAY_LENGTH(ref_pocs_l0)); i++, nb_poc_l0++) {
ref_pocs_l0[nb_poc_l0] = poc_lt_curr[i];
}
assert(nb_poc_l0 == num_poc_total);
Expand All @@ -7600,14 +7600,16 @@ static void gf_hevc_compute_ref_list(HEVCState *hevc, HEVCSliceInfo *si)
}
if (rps->modif_flag_l0 || num_poc_total) {
for (i=0; i<si->num_ref_idx_l0_active; i++) {
u32 idx = rps->modif_flag_l0 ? rps->modif_idx_l0[i] : (i%num_poc_total);
gf_hevc_push_ref_poc(si, ref_pocs_l0[idx]);
u32 idx = (rps->modif_flag_l0 && i<GF_ARRAY_LENGTH(rps->modif_idx_l0)) ? rps->modif_idx_l0[i] : (i%num_poc_total);
if (idx < GF_ARRAY_LENGTH(ref_pocs_l0))
gf_hevc_push_ref_poc(si, ref_pocs_l0[idx]);
}
}
if (rps->modif_flag_l1 || num_poc_total) {
for (i=0; i<si->num_ref_idx_l1_active; i++) {
u32 idx = rps->modif_flag_l1 ? rps->modif_idx_l1[i] : (i%num_poc_total);
gf_hevc_push_ref_poc(si, ref_pocs_l1[idx]);
u32 idx = (rps->modif_flag_l1 && i<GF_ARRAY_LENGTH(rps->modif_idx_l1)) ? rps->modif_idx_l1[i] : (i%num_poc_total);
if (idx < GF_ARRAY_LENGTH(ref_pocs_l1))
gf_hevc_push_ref_poc(si, ref_pocs_l1[idx]);
}
}
}
Expand Down

0 comments on commit ca6a0a3

Please sign in to comment.