From ce3bb011197dfa6d3b8d8a65b7cc6a8f079e82ac Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michaelni@gmx.at>
Date: Tue, 12 May 2015 19:09:06 +0200
Subject: [PATCH] avformat/hevc: Check cpb_cnt_minus1

Fixes CID1239014

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 2cddc0b19a20dd061dbf199bf88005b37c540d2f)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
---
 libavformat/hevc.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/libavformat/hevc.c b/libavformat/hevc.c
index 45b00c45bc..8ef3c1f986 100644
--- a/libavformat/hevc.c
+++ b/libavformat/hevc.c
@@ -189,7 +189,7 @@ static void skip_sub_layer_hrd_parameters(GetBitContext *gb,
     }
 }
 
-static void skip_hrd_parameters(GetBitContext *gb, uint8_t cprms_present_flag,
+static int skip_hrd_parameters(GetBitContext *gb, uint8_t cprms_present_flag,
                                 unsigned int max_sub_layers_minus1)
 {
     unsigned int i;
@@ -246,8 +246,11 @@ static void skip_hrd_parameters(GetBitContext *gb, uint8_t cprms_present_flag,
         else
             low_delay_hrd_flag = get_bits1(gb);
 
-        if (!low_delay_hrd_flag)
+        if (!low_delay_hrd_flag) {
             cpb_cnt_minus1 = get_ue_golomb_long(gb);
+            if (cpb_cnt_minus1 > 31)
+                return AVERROR_INVALIDDATA;
+        }
 
         if (nal_hrd_parameters_present_flag)
             skip_sub_layer_hrd_parameters(gb, cpb_cnt_minus1,
@@ -257,6 +260,8 @@ static void skip_hrd_parameters(GetBitContext *gb, uint8_t cprms_present_flag,
             skip_sub_layer_hrd_parameters(gb, cpb_cnt_minus1,
                                           sub_pic_hrd_params_present_flag);
     }
+
+    return 0;
 }
 
 static void skip_timing_info(GetBitContext *gb)