avcodec/hevc_sei: fix amount of bits skipped when reading picture timing SEI message

The code was skipping the entire reported SEI message size regardless of
the amount of bits read.
While in theory safe for NALU where the picture timing SEI message is alone
or at the end as we're using the checked bitstream reader, it isn't in any
other situation, where every SEI message in the NALU after the picture
timing one would potentially fail to parse.

Reviewed-by: Michael Niedermayer <michael@niedermayer.cc>
Signed-off-by: James Almer <jamrial@gmail.com>
(cherry picked from commit f738140807f504c9af7850042067777832f05e88)

Conflicts:
	libavcodec/hevc_sei.c

1 files changed, 7 insertions, 4 deletions

diff --git a/libavcodec/hevc_sei.c b/libavcodec/hevc_sei.c
index f598b6393a..9cf5e80010 100644
--- a/libavcodec/hevc_sei.c
+++ b/libavcodec/hevc_sei.c
@@ -145,7 +145,7 @@ static int decode_nal_sei_display_orientation(HEVCContext *s)
     return 0;
 }
 
-static int decode_pic_timing(HEVCContext *s)
+static int decode_pic_timing(HEVCContext *s, int size)
 {
     GetBitContext *gb = &s->HEVClc->gb;
     HEVCSPS *sps;
@@ -166,8 +166,12 @@ static int decode_pic_timing(HEVCContext *s)
         }
         get_bits(gb, 2);                   // source_scan_type
         get_bits(gb, 1);                   // duplicate_flag
+        skip_bits1(gb);
+        size--;
     }
-    return 1;
+    skip_bits_long(gb, 8 * size);
+
+    return 0;
 }
 
 static int decode_registered_user_data_closed_caption(HEVCContext *s, int size)
@@ -297,9 +301,8 @@ static int decode_nal_sei_prefix(HEVCContext *s, int type, int size)
         return decode_nal_sei_display_orientation(s);
     case SEI_TYPE_PICTURE_TIMING:
         {
-            int ret = decode_pic_timing(s);
+            int ret = decode_pic_timing(s, size);
             av_log(s->avctx, AV_LOG_DEBUG, "Skipped PREFIX SEI %d\n", type);
-            skip_bits(gb, 8 * size);
             return ret;
         }
     case SEI_TYPE_MASTERING_DISPLAY_INFO: