h264: Check for out of bounds reads in ff_h264_decode_extradata().

Signed-off-by: Michael Niedermayer <michaelni@gmx.at> (cherry picked from commit 57764c699671b32f0c70795feafc0c6d7491f198)
author: Laurent Aimar <fenrir@videolan.org> 2011-09-24 16:44:14 +0200
committer: Michael Niedermayer <michaelni@gmx.at> 2011-10-01 19:54:49 +0200
commit: 101e38e08a0745a1b99d83d17358c6e81a464f8d (patch)
tree: 5df2c7ebb7fa2af12140e10e72a3a26362ee75f2
parent: 1cf6348cf7ef2bbdbd0020ebeb508c2de08a08c4 (diff)
download: ffmpeg-101e38e08a0745a1b99d83d17358c6e81a464f8d.tar.gz
1 files changed, 4 insertions, 0 deletions
diff --git a/libavcodec/h264.c b/libavcodec/h264.c
index b844c38b56..8d44337b5b 100644
--- a/libavcodec/h264.c
+++ b/libavcodec/h264.c
@@ -1040,6 +1040,8 @@ int ff_h264_decode_extradata(H264Context *h)
         p += 6;
         for (i = 0; i < cnt; i++) {
             nalsize = AV_RB16(p) + 2;
+            if(nalsize > size - (p-buf))
+                return -1;
             if(decode_nal_units(h, p, nalsize) < 0) {
                 av_log(avctx, AV_LOG_ERROR, "Decoding sps %d from avcC failed\n", i);
                 return -1;
@@ -1050,6 +1052,8 @@ int ff_h264_decode_extradata(H264Context *h)
         cnt = *(p++); // Number of pps
         for (i = 0; i < cnt; i++) {
             nalsize = AV_RB16(p) + 2;
+            if(nalsize > size - (p-buf))
+                return -1;
             if (decode_nal_units(h, p, nalsize) < 0) {
                 av_log(avctx, AV_LOG_ERROR, "Decoding pps %d from avcC failed\n", i);
                 return -1;
author	Laurent Aimar <fenrir@videolan.org>	2011-09-24 16:44:14 +0200
committer	Michael Niedermayer <michaelni@gmx.at>	2011-10-01 19:54:49 +0200
commit	101e38e08a0745a1b99d83d17358c6e81a464f8d (patch)
tree	5df2c7ebb7fa2af12140e10e72a3a26362ee75f2
parent	1cf6348cf7ef2bbdbd0020ebeb508c2de08a08c4 (diff)
download	ffmpeg-101e38e08a0745a1b99d83d17358c6e81a464f8d.tar.gz