avcodec/hevc_ps: Check chroma_format_idc

avcodec/hevc_ps: Check chroma_format_idc

Fixes out of array access
Fixes: 24d05e8b84676799c735c9e27d97895e/asan_heap-oob_1b70f6a_2955_7c3652a7f370f9f3ef40642bc2c99bb2.bit
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
[sunweaver] Ported to libav 11.12 in Debian jessie LTS.

Gbp-Pq: Name CVE-2015-8217.patch

diff --git a/libavcodec/hevc_ps.c b/libavcodec/hevc_ps.c
index db658bed2d256989262d632ea0fe3062814db3a6..eedb3ce3793307069ac45a742199c09c357ec65b 100644 (file)
--- a/libavcodec/hevc_ps.c
+++ b/libavcodec/hevc_ps.c
@@ -661,9 +661,9 @@ int ff_hevc_decode_nal_sps(HEVCContext *s)
     }
 
     sps->chroma_format_idc = get_ue_golomb_long(gb);
-    if (sps->chroma_format_idc != 1) {
-        avpriv_report_missing_feature(s->avctx, "chroma_format_idc != 1\n");
-        ret = AVERROR_PATCHWELCOME;
+    if (sps->chroma_format_idc > 3u) {
+        av_log(s->avctx, AV_LOG_ERROR, "chroma_format_idc %d is invalid\n", sps->chroma_format_idc);
+        ret = AVERROR_INVALIDDATA;
         goto err;
     }