media: Fix integer overflow in H265 parser

BUG=b:153111783 TEST=Fuzzer passes Change-Id: Iab634196b5f5027b2f1feda35c33771201f71ebf Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2579789 Auto-Submit: Jeffrey Kardatzke <jkardatzke@google.com> Commit-Queue: Dale Curtis <dalecurtis@chromium.org> Reviewed-by: Dale Curtis <dalecurtis@chromium.org> Cr-Commit-Position: refs/heads/master@{#834963}

media: Fix integer overflow in H265 parser
BUG=b:153111783 TEST=Fuzzer passes Change-Id: Iab634196b5f5027b2f1feda35c33771201f71ebf Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2579789 Auto-Submit: Jeffrey Kardatzke <jkardatzke@google.com> Commit-Queue: Dale Curtis <dalecurtis@chromium.org> Reviewed-by: Dale Curtis <dalecurtis@chromium.org> Cr-Commit-Position: refs/heads/master@{#834963}
17ac09fd · Jeffrey Kardatzke · Chromium LUCI CQ · 717796fb · 17ac09fd
Commit 17ac09fd authored Dec 09, 2020 by Jeffrey Kardatzke Committed by Chromium LUCI CQ Dec 09, 2020
Hide whitespace changes
Inline Side-by-side

Showing with 2 additions and 2 deletions

media/video/h265_parser.cc media/video/h265_parser.cc +2 -2

No files found.
--- a/media/video/h265_parser.cc
+++ b/media/video/h265_parser.cc
@@ -1063,8 +1063,8 @@ H265Parser::Result H265Parser::ParseSliceHeader(const H265NALU& nalu,
               shdr->GetStRefPicSet(sps).num_positive_pics -
               shdr->num_long_term_sps));
        }
-        IN_RANGE_OR_RETURN(shdr->num_long_term_sps + shdr->num_long_term_pics,
-                           0, kMaxLongTermRefPicSets);
+        IN_RANGE_OR_RETURN(shdr->num_long_term_pics, 0,
+                           kMaxLongTermRefPicSets - shdr->num_long_term_sps);
        for (int i = 0; i < shdr->num_long_term_sps + shdr->num_long_term_pics;
             ++i) {
          if (i < shdr->num_long_term_sps) {