diff --git a/libavcodec/hevc.c b/libavcodec/hevc.c index 8ae8fc7648..a64c627b02 100644 --- a/libavcodec/hevc.c +++ b/libavcodec/hevc.c @@ -708,6 +708,10 @@ static int hls_slice_header(HEVCContext *s) if (s->pps->slice_header_extension_present_flag) { unsigned int length = get_ue_golomb_long(gb); + if (length*8LL > get_bits_left(gb)) { + av_log(s->avctx, AV_LOG_ERROR, "too many slice_header_extension_data_bytes\n"); + return AVERROR_INVALIDDATA; + } for (i = 0; i < length; i++) skip_bits(gb, 8); // slice_header_extension_data_byte }