diff options
author | Jeff Downs <heydowns@borg.com> | 2007-12-14 05:48:27 +0000 |
---|---|---|
committer | Jeff Downs <heydowns@borg.com> | 2007-12-14 05:48:27 +0000 |
commit | 41f7e2d11d2dca23842ee89d530ca9fa15cec9d8 (patch) | |
tree | 74ff571b36057b519dd50f8e79d19dca7d70e54c | |
parent | 33e00731294e304ef7935fdb6dd7214bc4df391f (diff) | |
download | ffmpeg-41f7e2d11d2dca23842ee89d530ca9fa15cec9d8.tar.gz |
Actually return with an error condition if we're being asked to deal with too
many reference frames. Also check max num ref frames against our internal
ref buffer sizes.
Part of fix for roundup issue 281
Originally committed as revision 11215 to svn://svn.ffmpeg.org/ffmpeg/trunk
-rw-r--r-- | libavcodec/h264.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/libavcodec/h264.c b/libavcodec/h264.c index 822a20f6ce..f34bf2c5e2 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -7210,8 +7210,9 @@ static inline int decode_seq_parameter_set(H264Context *h){ } tmp= get_ue_golomb(&s->gb); - if(tmp > MAX_PICTURE_COUNT-2){ + if(tmp > MAX_PICTURE_COUNT-2 || tmp >= 32){ av_log(h->s.avctx, AV_LOG_ERROR, "too many reference frames\n"); + return -1; } sps->ref_frame_count= tmp; sps->gaps_in_frame_num_allowed_flag= get_bits1(&s->gb); |