h264: reject mismatching luma/chroma bit depths during sps parsing

There is no point in delaying the check and it avoids bugs with a
half-initialized context.

Fixes invalid reads.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org

2 files changed, 5 insertions, 6 deletions

diff --git a/libavcodec/h264.c b/libavcodec/h264.c
index 7d1945fc1e..d6e1ba1f40 100644
--- a/libavcodec/h264.c
+++ b/libavcodec/h264.c
@@ -4076,12 +4076,6 @@ static int decode_nal_units(H264Context *h, const uint8_t *buf, int buf_size){
             if(avctx->has_b_frames < 2)
                 avctx->has_b_frames= !s->low_delay;
 
-            if (h->sps.bit_depth_luma != h->sps.bit_depth_chroma) {
-                av_log_missing_feature(s->avctx,
-                    "Different bit depth between chroma and luma", 1);
-                return AVERROR_PATCHWELCOME;
-            }
-
             if (avctx->bits_per_raw_sample != h->sps.bit_depth_luma ||
                 h->cur_chroma_format_idc != h->sps.chroma_format_idc) {
                 if (h->sps.bit_depth_luma >= 8 && h->sps.bit_depth_luma <= 10) {
diff --git a/libavcodec/h264_ps.c b/libavcodec/h264_ps.c
index ee4711c147..5d7508276b 100644
--- a/libavcodec/h264_ps.c
+++ b/libavcodec/h264_ps.c
@@ -349,6 +349,11 @@ int ff_h264_decode_seq_parameter_set(H264Context *h){
         }
         sps->bit_depth_luma   = get_ue_golomb(&s->gb) + 8;
         sps->bit_depth_chroma = get_ue_golomb(&s->gb) + 8;
+        if (sps->bit_depth_chroma != sps->bit_depth_luma) {
+            av_log_missing_feature(s->avctx,
+                "Different bit depth between chroma and luma", 1);
+            goto fail;
+        }
         sps->transform_bypass = get_bits1(&s->gb);
         decode_scaling_matrices(h, sps, NULL, 1, sps->scaling_matrix4, sps->scaling_matrix8);
     }else{