Skip to content

Commit

Permalink
added more length checks to gf_hevc_compute_ref_list()
Browse files Browse the repository at this point in the history 
ossfuzz issue 71146
  • Loading branch information
@aureliendavid
aureliendavid committed Aug 20, 2024
1 parent 7ff782d commit deb5bc6
Showing 1 changed file with 12 additions and 0 deletions.
12 changes: 12 additions & 0 deletions src/media_tools/av_parsers.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7549,12 +7549,16 @@ static void gf_hevc_compute_ref_list(HEVCState *hevc, HEVCSliceInfo *si)
u32 nb_poc_lt_curr=0;
s32 poc_lt_curr[16];
for (i=0; i < rps->num_negative_pics; i++) {
if (i>=GF_ARRAY_LENGTH(rps->used_by_curr_pic) || i>=GF_ARRAY_LENGTH(rps->delta_poc) || nb_poc_st_curr0>=GF_ARRAY_LENGTH(poc_st_curr0))
break;
if (!rps->used_by_curr_pic[i]) continue;
poc_st_curr0[nb_poc_st_curr0] = si->poc + rps->delta_poc[i];
nb_poc_st_curr0++;
}

for (; i < rps->num_negative_pics+rps->num_positive_pics; i++) {
if (i>=GF_ARRAY_LENGTH(rps->used_by_curr_pic) || i>=GF_ARRAY_LENGTH(rps->delta_poc) || nb_poc_st_curr1>=GF_ARRAY_LENGTH(poc_st_curr1))
break;
if (!rps->used_by_curr_pic[i]) continue;
poc_st_curr1[nb_poc_st_curr1] = si->poc + rps->delta_poc[i];
nb_poc_st_curr1++;
Expand All @@ -7563,6 +7567,8 @@ static void gf_hevc_compute_ref_list(HEVCState *hevc, HEVCSliceInfo *si)
u32 num_long_term_pictures = 0;
u32 num_interlayer_ref_idx = 0;
for (i = rps->num_negative_pics + rps->num_positive_pics + num_long_term_pictures - 1; i >rps->num_negative_pics + rps->num_positive_pics-1 ; i--) {
if (i>=GF_ARRAY_LENGTH(rps->used_by_curr_pic) || nb_poc_lt_curr>=GF_ARRAY_LENGTH(poc_lt_curr))
break;
if (!rps->used_by_curr_pic[i]) continue;
poc_lt_curr[nb_poc_lt_curr] = 0; //todo, get LT from SH
nb_poc_lt_curr++;
Expand All @@ -7588,12 +7594,18 @@ static void gf_hevc_compute_ref_list(HEVCState *hevc, HEVCSliceInfo *si)
u32 nb_poc_l1 = 0;
if (si->slice_type == GF_HEVC_SLICE_TYPE_B) {
for ( i=0; i<nb_poc_st_curr1; i++, nb_poc_l1++) {
if (i>=GF_ARRAY_LENGTH(poc_st_curr1) || nb_poc_l1>=GF_ARRAY_LENGTH(ref_pocs_l1))
break;
ref_pocs_l1[nb_poc_l1] = poc_st_curr1[i];
}
for ( i=0; i<nb_poc_st_curr0; i++, nb_poc_l1++) {
if (i>=GF_ARRAY_LENGTH(poc_st_curr0) || nb_poc_l1>=GF_ARRAY_LENGTH(ref_pocs_l1))
break;
ref_pocs_l1[nb_poc_l1] = poc_st_curr0[i];
}
for ( i=0; i<nb_poc_lt_curr; i++, nb_poc_l1++) {
if (i>=GF_ARRAY_LENGTH(poc_lt_curr) || nb_poc_l1>=GF_ARRAY_LENGTH(ref_pocs_l1))
break;
ref_pocs_l1[nb_poc_l1] = poc_lt_curr[i];
}
assert(nb_poc_l1 == num_poc_total);
Expand Down

0 comments on commit deb5bc6

Please sign in to comment.