aboutsummaryrefslogtreecommitdiffstats
path: root/libavcodec/h264.c
diff options
context:
space:
mode:
authorMichael Niedermayer <michaelni@gmx.at>2012-12-02 20:36:32 +0100
committerMichael Niedermayer <michaelni@gmx.at>2012-12-02 20:44:58 +0100
commit936eaa89be5de0eada9d188777427b97e568422a (patch)
treebfadfb5957b0296a941baede58abe0fffa082a93 /libavcodec/h264.c
parent2cb227f6a2a0aa04da8fbcfd4c7a6069c0cb4c36 (diff)
downloadffmpeg-936eaa89be5de0eada9d188777427b97e568422a.tar.gz
h264: check for integer overflow, fix null pointer dereference
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Diffstat (limited to 'libavcodec/h264.c')
-rw-r--r--libavcodec/h264.c2
1 files changed, 2 insertions, 0 deletions
diff --git a/libavcodec/h264.c b/libavcodec/h264.c
index abed3649f9..b07c3cb143 100644
--- a/libavcodec/h264.c
+++ b/libavcodec/h264.c
@@ -4010,6 +4010,8 @@ again:
"SPS decoding failure, trying again with the complete NAL\n");
if (h->is_avc)
av_assert0(next_avc - buf_index + consumed == nalsize);
+ if ((next_avc - buf_index + consumed - 1) >= INT_MAX/8)
+ break;
init_get_bits(&s->gb, &buf[buf_index + 1 - consumed],
8*(next_avc - buf_index + consumed - 1));
ff_h264_decode_seq_parameter_set(h);