X-Git-Url: https://git.piment-noir.org/?p=deb_ffmpeg.git;a=blobdiff_plain;f=ffmpeg%2Flibavcodec%2Fhevc_ps.c;fp=ffmpeg%2Flibavcodec%2Fhevc_ps.c;h=11e6eb61322ce5510dda3f3aeba6490f79b8c918;hp=6b5e13fc5bca731065a5245899b6a87686f5294b;hb=092a91210f1b986dc846dc52988518f8f913eb72;hpb=dcebb6f35d810c9009a455808b016c790bb633b4

diff --git a/ffmpeg/libavcodec/hevc_ps.c b/ffmpeg/libavcodec/hevc_ps.c
index 6b5e13f..11e6eb6 100644
--- a/ffmpeg/libavcodec/hevc_ps.c
+++ b/ffmpeg/libavcodec/hevc_ps.c
@@ -1255,6 +1255,14 @@ int ff_hevc_decode_nal_pps(HEVCContext *s)
     if (pps->cu_qp_delta_enabled_flag)
         pps->diff_cu_qp_delta_depth = get_ue_golomb_long(gb);
 
+    if (pps->diff_cu_qp_delta_depth < 0 ||
+        pps->diff_cu_qp_delta_depth > sps->log2_diff_max_min_coding_block_size) {
+        av_log(s->avctx, AV_LOG_ERROR, "diff_cu_qp_delta_depth %d is invalid\n",
+               pps->diff_cu_qp_delta_depth);
+        ret = AVERROR_INVALIDDATA;
+        goto err;
+    }
+
     pps->cb_qp_offset = get_se_golomb(gb);
     if (pps->cb_qp_offset < -12 || pps->cb_qp_offset > 12) {
         av_log(s->avctx, AV_LOG_ERROR, "pps_cb_qp_offset out of range: %d\n",