libs: decoder: h265: untaint loop control variable

Coverity scan bug: Scalars (for example, integers) are not properly bounds-checked (sanitized) before being used as array or pointer indexes, loop boundaries, or function arguments are considered as tainted. In this case, num_nals were not checked before used as loop control.
author: Víctor Manuel Jáquez Leal <vjaquez@igalia.com> 2017-08-08 15:38:16 +0200
committer: Víctor Manuel Jáquez Leal <vjaquez@igalia.com> 2017-08-08 15:38:16 +0200
commit: d879664a0ad55a65f8604be3a44375bc1117633b (patch)
tree: 93caffc95a5b3efce27269c96443c2321eafa80d
parent: 9eddf6c00458f9d611a4a3f5b343ec294538ae6b (diff)
1 files changed, 11 insertions, 1 deletions
diff --git a/gst-libs/gst/vaapi/gstvaapidecoder_h265.c b/gst-libs/gst/vaapi/gstvaapidecoder_h265.c
index 9759dd97..3da14e6b 100644
--- a/gst-libs/gst/vaapi/gstvaapidecoder_h265.c
+++ b/gst-libs/gst/vaapi/gstvaapidecoder_h265.c
@@ -2664,7 +2664,17 @@ gst_vaapi_decoder_h265_decode_codec_data (GstVaapiDecoder *
   num_nal_arrays = buf[22];
   ofs = 23;
   for (i = 0; i < num_nal_arrays; i++) {
-    num_nals = GST_READ_UINT16_BE (buf + ofs + 1);
+    const guchar *data;
+
+    if (ofs + 1 > buf_size)
+      return GST_VAAPI_DECODER_STATUS_ERROR_NO_DATA;
+    data = buf + ofs + 1;
+    if (!data)
+      return GST_VAAPI_DECODER_STATUS_ERROR_NO_DATA;
+    num_nals = GST_READ_UINT16_BE (data);
+    /* the max number of nals is GST_H265_MAX_PPS_COUNT (64) */
+    if (num_nals > 64)
+      return GST_VAAPI_DECODER_STATUS_ERROR_BITSTREAM_PARSER;
     ofs += 3;
 
     for (j = 0; j < num_nals; j++) {
author	Víctor Manuel Jáquez Leal <vjaquez@igalia.com>	2017-08-08 15:38:16 +0200
committer	Víctor Manuel Jáquez Leal <vjaquez@igalia.com>	2017-08-08 15:38:16 +0200
commit	d879664a0ad55a65f8604be3a44375bc1117633b (patch)
tree	93caffc95a5b3efce27269c96443c2321eafa80d
parent	9eddf6c00458f9d611a4a3f5b343ec294538ae6b (diff)