h264: additional protection against unsupported size/bitdepth changes.

Fixes crashes in codepaths not covered by original checks.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org

2 files changed, 5 insertions, 2 deletions

diff --git a/libavcodec/h264.c b/libavcodec/h264.c
index 890dd223f3..6ed251ecf2 100644
--- a/libavcodec/h264.c
+++ b/libavcodec/h264.c
@@ -2971,10 +2971,10 @@ static int decode_slice_header(H264Context *h, H264Context *h0)
     if (s->context_initialized &&
         (s->width != s->avctx->width || s->height != s->avctx->height ||
          av_cmp_q(h->sps.sar, s->avctx->sample_aspect_ratio))) {
-        if (h != h0) {
+        if (h != h0 || (HAVE_THREADS && h->s.avctx->active_thread_type & FF_THREAD_FRAME)) {
             av_log_missing_feature(s->avctx,
                                    "Width/height changing with threads is", 0);
-            return -1;   // width / height changed during parallelized decoding
+            return AVERROR_PATCHWELCOME;   // width / height changed during parallelized decoding
         }
         free_tables(h, 0);
         flush_dpb(s->avctx);
diff --git a/libavcodec/h264_ps.c b/libavcodec/h264_ps.c
index 354469c9ad..3f53af82a2 100644
--- a/libavcodec/h264_ps.c
+++ b/libavcodec/h264_ps.c
@@ -475,6 +475,9 @@ int ff_h264_decode_picture_parameter_set(H264Context *h, int bit_length){
     if(pps_id >= MAX_PPS_COUNT) {
         av_log(h->s.avctx, AV_LOG_ERROR, "pps_id (%d) out of range\n", pps_id);
         return -1;
+    } else if (h->sps.bit_depth_luma > 10) {
+        av_log(h->s.avctx, AV_LOG_ERROR, "Unimplemented luma bit depth=%d (max=10)\n", h->sps.bit_depth_luma);
+        return AVERROR_PATCHWELCOME;
     }
 
     pps= av_mallocz(sizeof(PPS));