aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRonald S. Bultje <rsbultje@gmail.com>2012-03-29 16:37:09 -0700
committerRonald S. Bultje <rsbultje@gmail.com>2012-05-02 10:19:37 -0700
commit732f9fcfe54fc9a0a7bbce53fe86b38744c2d301 (patch)
treed3a6906815af6f71ac49eebacfde12ac918ab337
parentac80b812cd177553339467ea12548d71c9ef6865 (diff)
downloadffmpeg-732f9fcfe54fc9a0a7bbce53fe86b38744c2d301.tar.gz
h264: additional protection against unsupported size/bitdepth changes.
Fixes crashes in codepaths not covered by original checks. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org
-rw-r--r--libavcodec/h264.c4
-rw-r--r--libavcodec/h264_ps.c3
2 files changed, 5 insertions, 2 deletions
diff --git a/libavcodec/h264.c b/libavcodec/h264.c
index 890dd223f3..6ed251ecf2 100644
--- a/libavcodec/h264.c
+++ b/libavcodec/h264.c
@@ -2971,10 +2971,10 @@ static int decode_slice_header(H264Context *h, H264Context *h0)
if (s->context_initialized &&
(s->width != s->avctx->width || s->height != s->avctx->height ||
av_cmp_q(h->sps.sar, s->avctx->sample_aspect_ratio))) {
- if (h != h0) {
+ if (h != h0 || (HAVE_THREADS && h->s.avctx->active_thread_type & FF_THREAD_FRAME)) {
av_log_missing_feature(s->avctx,
"Width/height changing with threads is", 0);
- return -1; // width / height changed during parallelized decoding
+ return AVERROR_PATCHWELCOME; // width / height changed during parallelized decoding
}
free_tables(h, 0);
flush_dpb(s->avctx);
diff --git a/libavcodec/h264_ps.c b/libavcodec/h264_ps.c
index 354469c9ad..3f53af82a2 100644
--- a/libavcodec/h264_ps.c
+++ b/libavcodec/h264_ps.c
@@ -475,6 +475,9 @@ int ff_h264_decode_picture_parameter_set(H264Context *h, int bit_length){
if(pps_id >= MAX_PPS_COUNT) {
av_log(h->s.avctx, AV_LOG_ERROR, "pps_id (%d) out of range\n", pps_id);
return -1;
+ } else if (h->sps.bit_depth_luma > 10) {
+ av_log(h->s.avctx, AV_LOG_ERROR, "Unimplemented luma bit depth=%d (max=10)\n", h->sps.bit_depth_luma);
+ return AVERROR_PATCHWELCOME;
}
pps= av_mallocz(sizeof(PPS));