diff options
author | Víctor Manuel Jáquez Leal <vjaquez@igalia.com> | 2017-08-08 15:38:16 +0200 |
---|---|---|
committer | Víctor Manuel Jáquez Leal <vjaquez@igalia.com> | 2017-08-08 15:38:16 +0200 |
commit | d879664a0ad55a65f8604be3a44375bc1117633b (patch) | |
tree | 93caffc95a5b3efce27269c96443c2321eafa80d | |
parent | 9eddf6c00458f9d611a4a3f5b343ec294538ae6b (diff) |
libs: decoder: h265: untaint loop control variable
Coverity scan bug:
Scalars (for example, integers) are not properly
bounds-checked (sanitized) before being used as array or pointer
indexes, loop boundaries, or function arguments are considered as
tainted.
In this case, num_nals were not checked before used as loop control.
-rw-r--r-- | gst-libs/gst/vaapi/gstvaapidecoder_h265.c | 12 |
1 files changed, 11 insertions, 1 deletions
diff --git a/gst-libs/gst/vaapi/gstvaapidecoder_h265.c b/gst-libs/gst/vaapi/gstvaapidecoder_h265.c index 9759dd97..3da14e6b 100644 --- a/gst-libs/gst/vaapi/gstvaapidecoder_h265.c +++ b/gst-libs/gst/vaapi/gstvaapidecoder_h265.c @@ -2664,7 +2664,17 @@ gst_vaapi_decoder_h265_decode_codec_data (GstVaapiDecoder * num_nal_arrays = buf[22]; ofs = 23; for (i = 0; i < num_nal_arrays; i++) { - num_nals = GST_READ_UINT16_BE (buf + ofs + 1); + const guchar *data; + + if (ofs + 1 > buf_size) + return GST_VAAPI_DECODER_STATUS_ERROR_NO_DATA; + data = buf + ofs + 1; + if (!data) + return GST_VAAPI_DECODER_STATUS_ERROR_NO_DATA; + num_nals = GST_READ_UINT16_BE (data); + /* the max number of nals is GST_H265_MAX_PPS_COUNT (64) */ + if (num_nals > 64) + return GST_VAAPI_DECODER_STATUS_ERROR_BITSTREAM_PARSER; ofs += 3; for (j = 0; j < num_nals; j++) { |