From 14d545d018ca76d4e623eeaf83d8ae4c7e53cfe9 Mon Sep 17 00:00:00 2001 From: Steve Lhomme Date: Tue, 13 May 2025 12:02:38 +0200 Subject: [PATCH] packetizer: h264: check the default ref_idx values are valid Reference values should only go up to 31: > num_ref_idx_l0_default_active_minus1 specifies how > num_ref_idx_l0_active_minus1 is inferred for P, SP, and B slices with num_ref_idx_active_override_flag equal to 0. The value of num_ref_idx_l0_default_active_minus1 shall be in the range of 0 to 31, inclusive. num_ref_idx_l1_default_active_minus1 specifies how num_ref_idx_l1_active_minus1 is inferred for B slices with num_ref_idx_active_override_flag equal to 0. The value of num_ref_idx_l1_default_active_minus1 shall be in the range of 0 to 31, inclusive. --- modules/packetizer/h264_nal.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/modules/packetizer/h264_nal.c b/modules/packetizer/h264_nal.c index eead4d1237..85349c104e 100644 --- a/modules/packetizer/h264_nal.c +++ b/modules/packetizer/h264_nal.c @@ -605,6 +605,9 @@ static bool h264_parse_picture_parameter_set_rbsp( bs_t *p_bs, p_pps->num_ref_idx_l01_default_active_minus1[0] = bs_read_ue( p_bs ); p_pps->num_ref_idx_l01_default_active_minus1[1] = bs_read_ue( p_bs ); + if (p_pps->num_ref_idx_l01_default_active_minus1[0] > 31 || + p_pps->num_ref_idx_l01_default_active_minus1[1] > 31) + return false; p_pps->weighted_pred_flag = bs_read( p_bs, 1 ); p_pps->weighted_bipred_idc = bs_read( p_bs, 2 ); bs_read_se( p_bs ); /* pic_init_qp_minus26 */