This is an automated email from the git hooks/post-receive script.
Git pushed a commit to branch master
in repository ffmpeg.
The following commit(s) were added to refs/heads/master by this push:
new 0f5705959d avcodec/hevc/ps: validate rep_format dimensions in
multi-layer SPS
0f5705959d is described below
commit 0f5705959df6abd65bdc26608ecb65ce5d3b79c9
Author: Michael Niedermayer <[email protected]>
AuthorDate: Sat May 2 19:24:38 2026 +0200
Commit: michaelni <[email protected]>
CommitDate: Sun May 3 13:26:06 2026 +0000
avcodec/hevc/ps: validate rep_format dimensions in multi-layer SPS
When an SPS uses the multi-layer extension (nuh_layer_id > 0 with
sps_max_sub_layers_minus1 == 7), width and height are taken from the
VPS rep_format without the av_image_check_size() validation that the
direct path performs. HEVC F.7.4.3.1.1 requires rep_format pic
dimensions to satisfy the constraints in 7.4.3.2.1, including
"pic_width_in_luma_samples shall not be equal to 0".
Run the same av_image_check_size() check in the multi-layer-extension
path so the SPS is rejected before it reaches setup_pps().
Fixes: VS-FF-2026-0003/poc.flv
Fixes: out of array access
Found-by: Vuln Seeker Cyber Security Team
Signed-off-by: Michael Niedermayer <[email protected]>
---
libavcodec/hevc/ps.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/libavcodec/hevc/ps.c b/libavcodec/hevc/ps.c
index 10c9a36102..f090a31803 100644
--- a/libavcodec/hevc/ps.c
+++ b/libavcodec/hevc/ps.c
@@ -1298,6 +1298,9 @@ int ff_hevc_parse_sps(HEVCSPS *sps, GetBitContext *gb,
unsigned int *sps_id,
sps->bit_depth = rf->bit_depth_luma;
sps->width = rf->pic_width_in_luma_samples;
sps->height = rf->pic_height_in_luma_samples;
+ if ((ret = av_image_check_size(sps->width,
+ sps->height, 0, avctx)) < 0)
+ return ret;
sps->pic_conf_win.left_offset = rf->conf_win_left_offset;
sps->pic_conf_win.right_offset = rf->conf_win_right_offset;
_______________________________________________
ffmpeg-cvslog mailing list -- [email protected]
To unsubscribe send an email to [email protected]
