ref: 8cf300206d60d904afb1f7d1e60c86152da3337c
parent: 36b807afe75040d9953bf63f68b67e6cd2fe4fc0
author: James Almer <jamrial@gmail.com>
date: Sun Dec 2 16:33:09 EST 2018
obu: fix setting num_ticks_per_picture in sequence headers This fixes a potential overflow when setting num_ticks_per_picture if dav1d_get_vlc() returns (1 << 32) - 1.
--- a/include/dav1d/headers.h
+++ b/include/dav1d/headers.h
@@ -203,7 +203,7 @@
int num_units_in_tick;
int time_scale;
int equal_picture_interval;
- int num_ticks_per_picture;
+ unsigned num_ticks_per_picture;
int decoder_model_info_present;
int encoder_decoder_buffer_delay_length;
int num_units_in_decoding_tick;
--- a/src/obu.c
+++ b/src/obu.c
@@ -84,8 +84,12 @@
hdr->num_units_in_tick = dav1d_get_bits(gb, 32);
hdr->time_scale = dav1d_get_bits(gb, 32);
hdr->equal_picture_interval = dav1d_get_bits(gb, 1);
- if (hdr->equal_picture_interval)
- hdr->num_ticks_per_picture = dav1d_get_vlc(gb) + 1;
+ if (hdr->equal_picture_interval) {+ unsigned num_ticks_per_picture = dav1d_get_vlc(gb);
+ if (num_ticks_per_picture == 0xFFFFFFFFU)
+ goto error;
+ hdr->num_ticks_per_picture = num_ticks_per_picture + 1;
+ }
hdr->decoder_model_info_present = dav1d_get_bits(gb, 1);
if (hdr->decoder_model_info_present) {