From 8e89fe0e175d2870c39486fdd09250b230ec10b8 Mon Sep 17 00:00:00 2001
From: Dirk Farin <dirk.farin@gmail.com>
Date: Tue, 5 Apr 2022 09:52:57 +0200
Subject: [PATCH] error on out-of-range cpb_cnt_minus1 (oss-fuzz issue 27590)

---
 libde265/sps.cc | 5 ++++-
 libde265/vui.cc | 6 ++++++
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/libde265/sps.cc b/libde265/sps.cc
index addd73c5..cb99c3fd 100644
--- a/libde265/sps.cc
+++ b/libde265/sps.cc
@@ -435,7 +435,10 @@ de265_error seq_parameter_set::read(error_queue* errqueue, bitreader* br)
 
   vui_parameters_present_flag = get_bits(br,1);
   if (vui_parameters_present_flag) {
-    vui.read(errqueue, br, this);
+    de265_error err = vui.read(errqueue, br, this);
+    if (err) {
+      return err;
+    }
   }
 
 
diff --git a/libde265/vui.cc b/libde265/vui.cc
index b5f46ac7..76086ff2 100644
--- a/libde265/vui.cc
+++ b/libde265/vui.cc
@@ -201,6 +201,9 @@ de265_error video_usability_information::hrd_parameters(error_queue* errqueue, b
     if (!low_delay_hrd_flag[i])
     {
       READ_VLC_OFFSET(cpb_cnt_minus1[i], uvlc, 0);
+      if (cpb_cnt_minus1[i] > 31) {
+	return DE265_ERROR_CODED_PARAMETER_OUT_OF_RANGE;
+      }
     }
 
     for (nalOrVcl = 0; nalOrVcl < 2; nalOrVcl++)
@@ -361,6 +364,9 @@ de265_error video_usability_information::read(error_queue* errqueue, bitreader*
     if (vui_hrd_parameters_present_flag) {
       de265_error err;
       err = hrd_parameters(errqueue, br, sps);
+      if (err) {
+	return err;
+      }
     }
   }