h264: stricter reference limit enforcement.
Progressive images can have only 16 references, error out if there are more, since the data is almost certainly corrupt, and the invalid value will lead to random crashes or invalid writes later on. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org
This commit is contained in:
parent
48cbe4b092
commit
e0febda22d
@ -3021,6 +3021,8 @@ static int decode_slice_header(H264Context *h, H264Context *h0){
|
||||
h->ref_count[1]= h->pps.ref_count[1];
|
||||
|
||||
if(h->slice_type_nos != AV_PICTURE_TYPE_I){
|
||||
int max_refs = s->picture_structure == PICT_FRAME ? 16 : 32;
|
||||
|
||||
if(h->slice_type_nos == AV_PICTURE_TYPE_B){
|
||||
h->direct_spatial_mv_pred= get_bits1(&s->gb);
|
||||
}
|
||||
@ -3030,13 +3032,14 @@ static int decode_slice_header(H264Context *h, H264Context *h0){
|
||||
h->ref_count[0]= get_ue_golomb(&s->gb) + 1;
|
||||
if(h->slice_type_nos==AV_PICTURE_TYPE_B)
|
||||
h->ref_count[1]= get_ue_golomb(&s->gb) + 1;
|
||||
|
||||
if(h->ref_count[0]-1 > 32-1 || h->ref_count[1]-1 > 32-1){
|
||||
av_log(h->s.avctx, AV_LOG_ERROR, "reference overflow\n");
|
||||
h->ref_count[0]= h->ref_count[1]= 1;
|
||||
return -1;
|
||||
}
|
||||
}
|
||||
|
||||
if (h->ref_count[0] > max_refs || h->ref_count[1] > max_refs) {
|
||||
av_log(h->s.avctx, AV_LOG_ERROR, "reference overflow\n");
|
||||
h->ref_count[0] = h->ref_count[1] = 1;
|
||||
return AVERROR_INVALIDDATA;
|
||||
}
|
||||
|
||||
if(h->slice_type_nos == AV_PICTURE_TYPE_B)
|
||||
h->list_count= 2;
|
||||
else
|
||||
|
Loading…
Reference in New Issue
Block a user