avcodec/hevc_ps: further constrain allowed num_ref_loc_offsets values

The spec says: "The value of num_ref_loc_offsets shall be in the range of 0 to vps_max_layers_minus1, inclusive". Signed-off-by: James Almer <jamrial@gmail.com>

avcodec/hevc_ps: further constrain allowed num_ref_loc_offsets values
The spec says: "The value of num_ref_loc_offsets shall be in the range of 0 to vps_max_layers_minus1, inclusive". Signed-off-by: James Almer <jamrial@gmail.com>
7fece767 · James Almer · c17e33c0 · 7fece767 · 7fece767
Commit 7fece767 authored Apr 17, 2023 by James Almer
Hide whitespace changes
Inline Side-by-side

Showing with 8 additions and 7 deletions

hevc_ps.c libavcodec/hevc_ps.c +7 -6

hevc_ps.h libavcodec/hevc_ps.h +1 -1

No files found.
--- a/libavcodec/hevc_ps.c
+++ b/libavcodec/hevc_ps.c
@@ -1384,18 +1384,17 @@ static void colour_mapping_table(GetBitContext *gb, HEVCPPS *pps)
 }

 static int pps_multilayer_extension(GetBitContext *gb, AVCodecContext *avctx,
-                                    HEVCPPS *pps, HEVCSPS *sps)
+                                    HEVCPPS *pps, HEVCSPS *sps, HEVCVPS *vps)
 {
    pps->poc_reset_info_present_flag = get_bits1(gb);
    pps->pps_infer_scaling_list_flag = get_bits1(gb);
    if (pps->pps_infer_scaling_list_flag)
        pps->pps_scaling_list_ref_layer_id = get_bits(gb, 6);

-    pps->num_ref_loc_offsets = get_ue_golomb_long(gb);
-    if (pps->num_ref_loc_offsets > FF_ARRAY_ELEMS(pps->ref_loc_offset_layer_id)) {
-        pps->num_ref_loc_offsets = 0;
+    pps->num_ref_loc_offsets = get_ue_golomb(gb);
+    if (pps->num_ref_loc_offsets > vps->vps_max_layers - 1)
        return AVERROR_INVALIDDATA;
-    }
+
    for (int i = 0; i < pps->num_ref_loc_offsets; i++) {
        pps->ref_loc_offset_layer_id[i] = get_bits(gb, 6);
        pps->scaled_ref_layer_offset_present_flag[i] = get_bits1(gb);
@@ -1693,6 +1692,7 @@ int ff_hevc_decode_nal_pps(GetBitContext *gb, AVCodecContext *avctx,
                           HEVCParamSets *ps)
 {
    HEVCSPS      *sps = NULL;
+    HEVCVPS      *vps = NULL;
    int i, ret = 0;
    unsigned int pps_id = 0;
    ptrdiff_t nal_size;
@@ -1753,6 +1753,7 @@ int ff_hevc_decode_nal_pps(GetBitContext *gb, AVCodecContext *avctx,
        goto err;
    }
    sps = (HEVCSPS *)ps->sps_list[pps->sps_id]->data;
+    vps = (HEVCVPS *)ps->vps_list[sps->vps_id]->data;

    pps->dependent_slice_segments_enabled_flag = get_bits1(gb);
    pps->output_flag_present_flag              = get_bits1(gb);
@@ -1921,7 +1922,7 @@ int ff_hevc_decode_nal_pps(GetBitContext *gb, AVCodecContext *avctx,
        }

        if (pps->pps_multilayer_extension_flag) {
-            if ((ret = pps_multilayer_extension(gb, avctx, pps, sps)) < 0)
+            if ((ret = pps_multilayer_extension(gb, avctx, pps, sps, vps)) < 0)
                goto err;
        }


--- a/libavcodec/hevc_ps.h
+++ b/libavcodec/hevc_ps.h
@@ -314,7 +314,7 @@ typedef struct HEVCPPS {
    uint8_t poc_reset_info_present_flag;
    uint8_t pps_infer_scaling_list_flag;
    uint8_t pps_scaling_list_ref_layer_id;
-    uint16_t num_ref_loc_offsets;
+    uint8_t num_ref_loc_offsets;
    uint8_t ref_loc_offset_layer_id[64];
    uint8_t scaled_ref_layer_offset_present_flag[64];
    int8_t scaled_ref_layer_left_offset[64];