sps->long_term_ref_pics_present_flag = get_bits1(gb);
if (sps->long_term_ref_pics_present_flag) {
sps->num_long_term_ref_pics_sps = get_ue_golomb_long(gb);
+ if (sps->num_long_term_ref_pics_sps > 31U) {
+ av_log(0, AV_LOG_ERROR, "num_long_term_ref_pics_sps %d is out of range.\n",
+ sps->num_long_term_ref_pics_sps);
+ goto err;
+ }
for (i = 0; i < sps->num_long_term_ref_pics_sps; i++) {
sps->lt_ref_pic_poc_lsb_sps[i] = get_bits(gb, sps->log2_max_poc_lsb);
sps->used_by_curr_pic_lt_sps_flag[i] = get_bits1(gb);
}
av_log(s->avctx, AV_LOG_WARNING,
"Displaying the whole video surface.\n");
- sps->pic_conf_win.left_offset =
- sps->pic_conf_win.right_offset =
- sps->pic_conf_win.top_offset =
- sps->pic_conf_win.bottom_offset = 0;
+ memset(&sps->pic_conf_win, 0, sizeof(sps->pic_conf_win));
+ memset(&sps->output_window, 0, sizeof(sps->output_window));
sps->output_width = sps->width;
sps->output_height = sps->height;
}
if (pps->cu_qp_delta_enabled_flag)
pps->diff_cu_qp_delta_depth = get_ue_golomb_long(gb);
+ if (pps->diff_cu_qp_delta_depth < 0 ||
+ pps->diff_cu_qp_delta_depth > sps->log2_diff_max_min_coding_block_size) {
+ av_log(s->avctx, AV_LOG_ERROR, "diff_cu_qp_delta_depth %d is invalid\n",
+ pps->diff_cu_qp_delta_depth);
+ ret = AVERROR_INVALIDDATA;
+ goto err;
+ }
+
pps->cb_qp_offset = get_se_golomb(gb);
if (pps->cb_qp_offset < -12 || pps->cb_qp_offset > 12) {
av_log(s->avctx, AV_LOG_ERROR, "pps_cb_qp_offset out of range: %d\n",
int pps_range_extensions_flag = get_bits1(gb);
/* int pps_extension_7bits = */ get_bits(gb, 7);
if (sps->ptl.general_ptl.profile_idc == FF_PROFILE_HEVC_REXT && pps_range_extensions_flag) {
- pps_range_extensions(s, pps, sps);
+ if ((ret = pps_range_extensions(s, pps, sps)) < 0)
+ goto err;
}
}