[vlc-commits] [Git][videolan/vlc][master] 3 commits: packetizer: hevc_nal: check some values
Felix Paul Kühne (@fkuehne)
gitlab at videolan.org
Sun Mar 8 20:46:27 UTC 2026
Felix Paul Kühne pushed to branch master at VideoLAN / VLC
Commits:
31ecb3b5 by François Cartegnie at 2026-03-08T20:52:48+01:00
packetizer: hevc_nal: check some values
- - - - -
8b0f8473 by François Cartegnie at 2026-03-08T20:52:48+01:00
packetizer: hevc_nal: check for EOS within loop
refs #29626
- - - - -
8935caa9 by François Cartegnie at 2026-03-08T20:52:48+01:00
packetizer: h264_nal: check some values
- - - - -
2 changed files:
- modules/packetizer/h264_nal.c
- modules/packetizer/hevc_nal.c
Changes:
=====================================
modules/packetizer/h264_nal.c
=====================================
@@ -319,8 +319,12 @@ static bool h264_parse_sequence_parameter_set_rbsp( bs_t *p_bs,
p_sps->b_separate_colour_planes_flag = 0;
/* bit_depth_luma_minus8 */
p_sps->i_bit_depth_luma = bs_read_ue( p_bs ) + 8;
+ if( p_sps->i_bit_depth_luma > 6 + 8 )
+ return false;
/* bit_depth_chroma_minus8 */
p_sps->i_bit_depth_chroma = bs_read_ue( p_bs ) + 8;
+ if( p_sps->i_bit_depth_chroma > 6 + 8 )
+ return false;
/* qpprime_y_zero_transform_bypass_flag */
bs_skip( p_bs, 1 );
/* seq_scaling_matrix_present_flag */
@@ -368,6 +372,8 @@ static bool h264_parse_sequence_parameter_set_rbsp( bs_t *p_bs,
/* Read poc_type */
p_sps->i_pic_order_cnt_type = bs_read_ue( p_bs );
+ if( p_sps->i_pic_order_cnt_type > 2 )
+ return false;
if( p_sps->i_pic_order_cnt_type == 0 )
{
/* skip i_log2_max_poc_lsb */
@@ -386,8 +392,9 @@ static bool h264_parse_sequence_parameter_set_rbsp( bs_t *p_bs,
for( int i=0; i<p_sps->i_num_ref_frames_in_pic_order_cnt_cycle; i++ )
p_sps->offset_for_ref_frame[i] = bs_read_se( p_bs );
}
- /* i_num_ref_frames */
- bs_read_ue( p_bs );
+ /* max_num_ref_frames */
+ if( bs_read_ue( p_bs ) > 16 )
+ return false;
/* b_gaps_in_frame_num_value_allowed */
bs_skip( p_bs, 1 );
=====================================
modules/packetizer/hevc_nal.c
=====================================
@@ -460,6 +460,9 @@ static bool hevc_parse_vui_parameters_rbsp( bs_t *p_bs, hevc_vui_parameters_t *p
{
p_vui->chroma.sample_loc_type_top_field = bs_read_ue( p_bs );
p_vui->chroma.sample_loc_type_bottom_field = bs_read_ue( p_bs );
+ if( p_vui->chroma.sample_loc_type_top_field > 5 ||
+ p_vui->chroma.sample_loc_type_bottom_field > 5 )
+ return false;
}
p_vui->neutral_chroma_indication_flag = bs_read1( p_bs );
@@ -652,6 +655,8 @@ static bool hevc_parse_video_parameter_set_rbsp( bs_t *p_bs,
p_vps->vps_max_layer_id = bs_read( p_bs, 6 );
p_vps->vps_num_layer_set_minus1 = bs_read_ue( p_bs );
+ if( p_vps->vps_num_layer_set_minus1 > 1023 )
+ return false;
// layer_id_included_flag; read but discarded
bs_skip( p_bs, p_vps->vps_num_layer_set_minus1 * (p_vps->vps_max_layer_id + 1) );
@@ -933,6 +938,9 @@ static bool hevc_parse_pic_parameter_set_rbsp( bs_t *p_bs,
p_pps->num_ref_idx_l0_default_active_minus1 = bs_read_ue( p_bs );
p_pps->num_ref_idx_l1_default_active_minus1 = bs_read_ue( p_bs );
+ if( p_pps->num_ref_idx_l0_default_active_minus1 > 14 ||
+ p_pps->num_ref_idx_l1_default_active_minus1 > 14 )
+ return false;
p_pps->init_qp_minus26 = bs_read_se( p_bs );
p_pps->constrained_intra_pred_flag = bs_read1( p_bs );
@@ -946,6 +954,9 @@ static bool hevc_parse_pic_parameter_set_rbsp( bs_t *p_bs,
p_pps->pps_cb_qp_offset = bs_read_se( p_bs );
p_pps->pps_cr_qp_offset = bs_read_se( p_bs );
+ if( p_pps->pps_cb_qp_offset > 12 || p_pps->pps_cb_qp_offset < -12 ||
+ p_pps->pps_cr_qp_offset > 12 || p_pps->pps_cr_qp_offset < -12 )
+ return false;
p_pps->pic_slice_level_chroma_qp_offsets_present_flag = bs_read1( p_bs );
p_pps->weighted_pred_flag = bs_read1( p_bs );
p_pps->weighted_bipred_flag = bs_read1( p_bs );
@@ -955,15 +966,23 @@ static bool hevc_parse_pic_parameter_set_rbsp( bs_t *p_bs,
if( p_pps->tiles_enabled_flag )
{
- p_pps->num_tile_columns_minus1 = bs_read_ue( p_bs ); /* TODO: validate max col/row values */
- p_pps->num_tile_rows_minus1 = bs_read_ue( p_bs ); /* against sps PicWidthInCtbsY */
+ p_pps->num_tile_columns_minus1 = bs_read_ue( p_bs ); /* should validate max col/row values */
+ p_pps->num_tile_rows_minus1 = bs_read_ue( p_bs ); /* against PicWidthInCtbsY but we don't want to depend on SPS */
p_pps->uniform_spacing_flag = bs_read1( p_bs );
if( !p_pps->uniform_spacing_flag )
{
for( unsigned i=0; i< p_pps->num_tile_columns_minus1; i++ )
+ {
(void) bs_read_ue( p_bs );
+ if( bs_error( p_bs ) )
+ return false;
+ }
for( unsigned i=0; i< p_pps->num_tile_rows_minus1; i++ )
+ {
(void) bs_read_ue( p_bs );
+ if( bs_error( p_bs ) )
+ return false;
+ }
}
p_pps->loop_filter_across_tiles_enabled_flag = bs_read1( p_bs );
if( bs_error( p_bs ) )
@@ -980,6 +999,9 @@ static bool hevc_parse_pic_parameter_set_rbsp( bs_t *p_bs,
{
p_pps->pps_beta_offset_div2 = bs_read_se( p_bs );
p_pps->pps_tc_offset_div2 = bs_read_se( p_bs );
+ if( p_pps->pps_beta_offset_div2 > 6 || p_pps->pps_beta_offset_div2 < -6 ||
+ p_pps->pps_tc_offset_div2 > 6 || p_pps->pps_tc_offset_div2 < -6 )
+ return false;
}
}
View it on GitLab: https://code.videolan.org/videolan/vlc/-/compare/8b55b111cebf0eae062ae356a1d308359d88c0b6...8935caa90ad271104a79bd1e161f175fe653e3d9
--
View it on GitLab: https://code.videolan.org/videolan/vlc/-/compare/8b55b111cebf0eae062ae356a1d308359d88c0b6...8935caa90ad271104a79bd1e161f175fe653e3d9
You're receiving this email because of your account on code.videolan.org.
VideoLAN code repository instance
More information about the vlc-commits
mailing list