h264: Add check for invalid chroma_format_idc

Fixes a crash when FF_DEBUG_PICT_INFO is used. Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com> (cherry picked from commit 6ef4063957aa5025c8d2cd757b6a537e4b6874df) Fixes: CVE-2012-0851 Signed-off-by: Reinhard Tartler <siretart@tauware.de>
author: Alexander Strange <astrange@ithinksw.com> 2012-03-24 17:32:14 -0400
committer: Reinhard Tartler <siretart@tauware.de> 2012-05-22 21:57:38 +0200
commit: 47132345184dc3d0ff962a57a1225564fe979548 (patch)
tree: bd695fec88cce0eb62565da08597a33574210310
parent: 58361100188a1f80bcd9b6c58a4ce588032da1ad (diff)
download: ffmpeg-47132345184dc3d0ff962a57a1225564fe979548.tar.gz
1 files changed, 5 insertions, 1 deletions
diff --git a/libavcodec/h264_ps.c b/libavcodec/h264_ps.c
index c6623a97ef..ff6103c2c0 100644
--- a/libavcodec/h264_ps.c
+++ b/libavcodec/h264_ps.c
@@ -332,8 +332,12 @@ int ff_h264_decode_seq_parameter_set(H264Context *h){
 
     if(sps->profile_idc >= 100){ //high profile
         sps->chroma_format_idc= get_ue_golomb_31(&s->gb);
-        if(sps->chroma_format_idc == 3)
+        if(sps->chroma_format_idc > 3) {
+            av_log(h->s.avctx, AV_LOG_ERROR, "chroma_format_idc (%u) out of range\n", sps->chroma_format_idc);
+            return -1;
+        } else if(sps->chroma_format_idc == 3) {
             sps->residual_color_transform_flag = get_bits1(&s->gb);
+        }
         sps->bit_depth_luma   = get_ue_golomb(&s->gb) + 8;
         sps->bit_depth_chroma = get_ue_golomb(&s->gb) + 8;
         sps->transform_bypass = get_bits1(&s->gb);
author	Alexander Strange <astrange@ithinksw.com>	2012-03-24 17:32:14 -0400
committer	Reinhard Tartler <siretart@tauware.de>	2012-05-22 21:57:38 +0200
commit	47132345184dc3d0ff962a57a1225564fe979548 (patch)
tree	bd695fec88cce0eb62565da08597a33574210310
parent	58361100188a1f80bcd9b6c58a4ce588032da1ad (diff)
download	ffmpeg-47132345184dc3d0ff962a57a1225564fe979548.tar.gz