Skip to content

Commit 8e89fe0

Browse files
committed
error on out-of-range cpb_cnt_minus1 (oss-fuzz issue 27590)
1 parent 900772c commit 8e89fe0

File tree

2 files changed

+10
-1
lines changed

2 files changed

+10
-1
lines changed

Diff for: libde265/sps.cc

+4-1
Original file line numberDiff line numberDiff line change
@@ -435,7 +435,10 @@ de265_error seq_parameter_set::read(error_queue* errqueue, bitreader* br)
435435

436436
vui_parameters_present_flag = get_bits(br,1);
437437
if (vui_parameters_present_flag) {
438-
vui.read(errqueue, br, this);
438+
de265_error err = vui.read(errqueue, br, this);
439+
if (err) {
440+
return err;
441+
}
439442
}
440443

441444

Diff for: libde265/vui.cc

+6
Original file line numberDiff line numberDiff line change
@@ -201,6 +201,9 @@ de265_error video_usability_information::hrd_parameters(error_queue* errqueue, b
201201
if (!low_delay_hrd_flag[i])
202202
{
203203
READ_VLC_OFFSET(cpb_cnt_minus1[i], uvlc, 0);
204+
if (cpb_cnt_minus1[i] > 31) {
205+
return DE265_ERROR_CODED_PARAMETER_OUT_OF_RANGE;
206+
}
204207
}
205208

206209
for (nalOrVcl = 0; nalOrVcl < 2; nalOrVcl++)
@@ -361,6 +364,9 @@ de265_error video_usability_information::read(error_queue* errqueue, bitreader*
361364
if (vui_hrd_parameters_present_flag) {
362365
de265_error err;
363366
err = hrd_parameters(errqueue, br, sps);
367+
if (err) {
368+
return err;
369+
}
364370
}
365371
}
366372

0 commit comments

Comments
 (0)