hevc: check that the VCL NAL types are the same for all slice segments of a frame

Fixes possible invalid memory access for mismatching skipped/non-skipped
slice segments.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Sample-Id: 00001533-google

2 files changed, 10 insertions, 0 deletions

diff --git a/libavcodec/hevc.c b/libavcodec/hevc.c
index bc89b17f26..8d9324a707 100644
--- a/libavcodec/hevc.c
+++ b/libavcodec/hevc.c
@@ -2471,6 +2471,7 @@ static int hevc_frame_start(HEVCContext *s)
 
     lc->start_of_tiles_x = 0;
     s->is_decoded        = 0;
+    s->first_nal_type    = s->nal_unit_type;
 
     if (s->pps->tiles_enabled_flag)
         lc->end_of_tiles_x = s->pps->column_width[0] << s->sps->log2_ctb_size;
@@ -2595,6 +2596,13 @@ static int decode_nal_unit(HEVCContext *s, const uint8_t *nal, int length)
             return AVERROR_INVALIDDATA;
         }
 
+        if (s->nal_unit_type != s->first_nal_type) {
+            av_log(s->avctx, AV_LOG_ERROR,
+                   "Non-matching NAL types of the VCL NALUs: %d %d\n",
+                   s->first_nal_type, s->nal_unit_type);
+            return AVERROR_INVALIDDATA;
+        }
+
         if (!s->sh.dependent_slice_segment_flag &&
             s->sh.slice_type != I_SLICE) {
             ret = ff_hevc_slice_rpl(s);
diff --git a/libavcodec/hevc.h b/libavcodec/hevc.h
index a674899b6f..accfcb6107 100644
--- a/libavcodec/hevc.h
+++ b/libavcodec/hevc.h
@@ -840,6 +840,8 @@ typedef struct HEVCContext {
     HEVCNAL *nals;
     int nb_nals;
     int nals_allocated;
+    // type of the first VCL NAL of the current frame
+    enum NALUnitType first_nal_type;
 
     // for checking the frame checksums
     struct AVMD5 *md5_ctx;