From 816e5b997028c8215c804b1e58b2388592ed612b Mon Sep 17 00:00:00 2001
From: Luca Barbato <lu_zero@gentoo.org>
Date: Sat, 11 Jan 2014 11:32:07 +0100
Subject: hevc: Reject impossible slice segment

A dependent slice cannot have address 0.
Prevent an out of array bound load in ff_hevc_cabac_init().

Sample-Id: 00001406-google
Reported-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
---
 libavcodec/hevc.c | 5 +++++
 1 file changed, 5 insertions(+)

(limited to 'libavcodec')

diff --git a/libavcodec/hevc.c b/libavcodec/hevc.c
index 859b2ab..bc89b17 100644
--- a/libavcodec/hevc.c
+++ b/libavcodec/hevc.c
@@ -779,6 +779,11 @@ static int hls_slice_header(HEVCContext *s)
 
     sh->slice_ctb_addr_rs = sh->slice_segment_addr;
 
+    if (!s->sh.slice_ctb_addr_rs && s->sh.dependent_slice_segment_flag) {
+        av_log(s->avctx, AV_LOG_ERROR, "Impossible slice segment.\n");
+        return AVERROR_INVALIDDATA;
+    }
+
     s->HEVClc.first_qp_group = !s->sh.dependent_slice_segment_flag;
 
     if (!s->pps->cu_qp_delta_enabled_flag)
-- 
cgit v1.1