generic-library/ffmpeg
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

h264: stricter reference limit enforcement.

Browse Source 
Progressive images can have only 16 references, error out if there are
more, since the data is almost certainly corrupt, and the invalid value
will lead to random crashes or invalid writes later on.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
(cherry picked from commit e0febda22d)

Signed-off-by: Reinhard Tartler <siretart@tauware.de>
This commit is contained in:
Ronald S. Bultje
2012-03-13 16:26:44 -07:00
committed by Reinhard Tartler
parent a81a6d9c80
commit 4d343a6f47
1 changed files with 9 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
libavcodec/h264.c
View File

@@ -3020,6 +3020,8 @@ static int decode_slice_header(H264Context *h, H264Context *h0){
h->ref_count[1]= h->pps.ref_count[1];
if(h->slice_type_nos != AV_PICTURE_TYPE_I){
int max_refs = s->picture_structure == PICT_FRAME ? 16 : 32;
if(h->slice_type_nos == AV_PICTURE_TYPE_B){
h->direct_spatial_mv_pred= get_bits1(&s->gb);
}
@@ -3029,13 +3031,14 @@ static int decode_slice_header(H264Context *h, H264Context *h0){
h->ref_count[0]= get_ue_golomb(&s->gb) + 1;
if(h->slice_type_nos==AV_PICTURE_TYPE_B)
h->ref_count[1]= get_ue_golomb(&s->gb) + 1;
if(h->ref_count[0]-1 > 32-1 || h->ref_count[1]-1 > 32-1){
av_log(h->s.avctx, AV_LOG_ERROR, "reference overflow\n");
h->ref_count[0]= h->ref_count[1]= 1;
return -1;
}
}
if (h->ref_count[0] > max_refs || h->ref_count[1] > max_refs) {
av_log(h->s.avctx, AV_LOG_ERROR, "reference overflow\n");
h->ref_count[0] = h->ref_count[1] = 1;
return AVERROR_INVALIDDATA;
}
if(h->slice_type_nos == AV_PICTURE_TYPE_B)
h->list_count= 2;
else