generic-library/ffmpeg
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

h264: always check ref_count for validity

Browse Source 
Fixes a crash with zuffed files.
This commit is contained in:
Janne Grunau 2012-11-15 22:03:58 +01:00
parent 8c3849bc76
commit 60b6b8c019
1 changed files with 9 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
libavcodec/h264.c
View File

@ -2356,7 +2356,7 @@ static int decode_slice_header(H264Context *h, H264Context *h0)
MpegEncContext *const s0 = &h0->s; MpegEncContext *const s0 = &h0->s;
unsigned int first_mb_in_slice; unsigned int first_mb_in_slice;
unsigned int pps_id; unsigned int pps_id;
int num_ref_idx_active_override_flag; int num_ref_idx_active_override_flag, max_refs;
unsigned int slice_type, tmp, i, j; unsigned int slice_type, tmp, i, j;
int default_ref_list_done = 0; int default_ref_list_done = 0;
int last_pic_structure, last_pic_dropable; int last_pic_structure, last_pic_dropable;
@ -2835,8 +2835,6 @@ static int decode_slice_header(H264Context *h, H264Context *h0)
h->ref_count[1] = h->pps.ref_count[1]; h->ref_count[1] = h->pps.ref_count[1];
if (h->slice_type_nos != AV_PICTURE_TYPE_I) { if (h->slice_type_nos != AV_PICTURE_TYPE_I) {
int max_refs = s->picture_structure == PICT_FRAME ? 16 : 32;
if (h->slice_type_nos == AV_PICTURE_TYPE_B) if (h->slice_type_nos == AV_PICTURE_TYPE_B)
h->direct_spatial_mv_pred = get_bits1(&s->gb); h->direct_spatial_mv_pred = get_bits1(&s->gb);
num_ref_idx_active_override_flag = get_bits1(&s->gb); num_ref_idx_active_override_flag = get_bits1(&s->gb);
@ -2847,12 +2845,6 @@ static int decode_slice_header(H264Context *h, H264Context *h0)
h->ref_count[1] = get_ue_golomb(&s->gb) + 1; h->ref_count[1] = get_ue_golomb(&s->gb) + 1;
} }
if (h->ref_count[0] > max_refs || h->ref_count[1] > max_refs) {
av_log(h->s.avctx, AV_LOG_ERROR, "reference overflow\n");
h->ref_count[0] = h->ref_count[1] = 1;
return AVERROR_INVALIDDATA;
}
if (h->slice_type_nos == AV_PICTURE_TYPE_B) if (h->slice_type_nos == AV_PICTURE_TYPE_B)
h->list_count = 2; h->list_count = 2;
else else
@ -2860,6 +2852,14 @@ static int decode_slice_header(H264Context *h, H264Context *h0)
} else } else
h->list_count = 0; h->list_count = 0;
max_refs = s->picture_structure == PICT_FRAME ? 16 : 32;
if (h->ref_count[0] > max_refs || h->ref_count[1] > max_refs) {
av_log(h->s.avctx, AV_LOG_ERROR, "reference overflow\n");
h->ref_count[0] = h->ref_count[1] = 1;
return AVERROR_INVALIDDATA;
}
if (!default_ref_list_done) if (!default_ref_list_done)
ff_h264_fill_default_ref_list(h); ff_h264_fill_default_ref_list(h);