@@ -4690,20 +4690,23 @@ u32 gf_bs_read_ue_log_idx3(GF_BitStream *bs, const char *fname, s32 idx1, s32 id
46904690 u32 bits = 0 ;
46914691 for (code = 0 ; !code ; nb_lead ++ ) {
46924692 if (nb_lead >=32 ) {
4693- //gf_bs_read_int keeps returning 0 on EOS, so if no more bits available, rbsp was truncated otherwise code is broken in rbsp)
4694- //we only test once nb_lead>=32 to avoid testing at each bit read
4695- if (!gf_bs_available (bs )) {
4696- GF_LOG (GF_LOG_ERROR , GF_LOG_CODING , ("[Core] exp-golomb read failed, not enough bits in bitstream !\n" ));
4697- } else {
4698- GF_LOG (GF_LOG_ERROR , GF_LOG_CODING , ("[Core] corrupted exp-golomb code, %d leading zeros, max 31 allowed !\n" , nb_lead ));
4699- }
4700- return 0 ;
4693+ break ;
47014694 }
4702-
47034695 code = gf_bs_read_int (bs , 1 );
47044696 bits ++ ;
47054697 }
47064698
4699+ if (nb_lead >=32 ) {
4700+ //gf_bs_read_int keeps returning 0 on EOS, so if no more bits available, rbsp was truncated otherwise code is broken in rbsp)
4701+ //we only test once nb_lead>=32 to avoid testing at each bit read
4702+ if (!gf_bs_available (bs )) {
4703+ GF_LOG (GF_LOG_ERROR , GF_LOG_CODING , ("[Core] exp-golomb read failed, not enough bits in bitstream !\n" ));
4704+ } else {
4705+ GF_LOG (GF_LOG_ERROR , GF_LOG_CODING , ("[Core] corrupted exp-golomb code, %d leading zeros, max 31 allowed !\n" , nb_lead ));
4706+ }
4707+ return 0 ;
4708+ }
4709+
47074710 if (nb_lead ) {
47084711 u32 leads = 1 ;
47094712 val = gf_bs_read_int (bs , nb_lead );
@@ -5785,7 +5788,7 @@ static s32 svc_parse_slice(GF_BitStream *bs, AVCState *avc, AVCSliceInfo *si)
57855788 if (si -> slice_type > 9 ) return -1 ;
57865789
57875790 pps_id = gf_bs_read_ue_log (bs , "pps_id" );
5788- if (pps_id > 255 )
5791+ if (( pps_id < 0 ) || ( pps_id > 255 ) )
57895792 return -1 ;
57905793 si -> pps = & avc -> pps [pps_id ];
57915794 si -> pps -> id = pps_id ;
0 commit comments