generic-library/ffmpeg
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

h264: rebuild the default ref list if the reference count changes

Browse Source 
Fixes possible access to freed memory.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
This commit is contained in:
Anton Khirnov 2013-11-28 10:54:35 +01:00
parent 4736d003fa
commit 9a026c7298
1 changed files with 23 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
libavcodec/h264.c
View File

@ -3275,11 +3275,12 @@ static int h264_slice_header_init(H264Context *h, int reinit)
int ff_set_ref_count(H264Context *h) int ff_set_ref_count(H264Context *h)
{ {
int ref_count[2], list_count;
int num_ref_idx_active_override_flag, max_refs; int num_ref_idx_active_override_flag, max_refs;
// set defaults, might be overridden a few lines later // set defaults, might be overridden a few lines later
h->ref_count[0] = h->pps.ref_count[0]; ref_count[0] = h->pps.ref_count[0];
h->ref_count[1] = h->pps.ref_count[1]; ref_count[1] = h->pps.ref_count[1];
if (h->slice_type_nos != AV_PICTURE_TYPE_I) { if (h->slice_type_nos != AV_PICTURE_TYPE_I) {
if (h->slice_type_nos == AV_PICTURE_TYPE_B) if (h->slice_type_nos == AV_PICTURE_TYPE_B)
@ -3287,33 +3288,42 @@ int ff_set_ref_count(H264Context *h)
num_ref_idx_active_override_flag = get_bits1(&h->gb); num_ref_idx_active_override_flag = get_bits1(&h->gb);
if (num_ref_idx_active_override_flag) { if (num_ref_idx_active_override_flag) {
h->ref_count[0] = get_ue_golomb(&h->gb) + 1; ref_count[0] = get_ue_golomb(&h->gb) + 1;
if (h->ref_count[0] < 1) if (ref_count[0] < 1)
return AVERROR_INVALIDDATA; return AVERROR_INVALIDDATA;
if (h->slice_type_nos == AV_PICTURE_TYPE_B) { if (h->slice_type_nos == AV_PICTURE_TYPE_B) {
h->ref_count[1] = get_ue_golomb(&h->gb) + 1; ref_count[1] = get_ue_golomb(&h->gb) + 1;
if (h->ref_count[1] < 1) if (ref_count[1] < 1)
return AVERROR_INVALIDDATA; return AVERROR_INVALIDDATA;
} }
} }
if (h->slice_type_nos == AV_PICTURE_TYPE_B) if (h->slice_type_nos == AV_PICTURE_TYPE_B)
h->list_count = 2; list_count = 2;
else else
h->list_count = 1; list_count = 1;
} else { } else {
h->list_count = 0; list_count = 0;
h->ref_count[0] = h->ref_count[1] = 0; ref_count[0] = ref_count[1] = 0;
} }
max_refs = h->picture_structure == PICT_FRAME ? 16 : 32; max_refs = h->picture_structure == PICT_FRAME ? 16 : 32;
if (h->ref_count[0] > max_refs || h->ref_count[1] > max_refs) { if (ref_count[0] > max_refs || ref_count[1] > max_refs) {
av_log(h->avctx, AV_LOG_ERROR, "reference overflow\n"); av_log(h->avctx, AV_LOG_ERROR, "reference overflow\n");
h->ref_count[0] = h->ref_count[1] = 0; h->ref_count[0] = h->ref_count[1] = 0;
return AVERROR_INVALIDDATA; return AVERROR_INVALIDDATA;
} }
if (list_count != h->list_count ||
ref_count[0] != h->ref_count[0] ||
ref_count[1] != h->ref_count[1]) {
h->ref_count[0] = ref_count[0];
h->ref_count[1] = ref_count[1];
h->list_count = list_count;
return 1;
}
return 0; return 0;
} }
@ -3741,6 +3751,8 @@ static int decode_slice_header(H264Context *h, H264Context *h0)
ret = ff_set_ref_count(h); ret = ff_set_ref_count(h);
if (ret < 0) if (ret < 0)
return ret; return ret;
else if (ret == 1)
default_ref_list_done = 0;
if (!default_ref_list_done) if (!default_ref_list_done)
ff_h264_fill_default_ref_list(h); ff_h264_fill_default_ref_list(h);