aboutsummaryrefslogtreecommitdiffstats
path: root/libavcodec/h264.c
diff options
context:
space:
mode:
authorMichael Niedermayer <michaelni@gmx.at>2014-02-03 23:52:38 +0100
committerMichael Niedermayer <michaelni@gmx.at>2014-02-04 00:07:27 +0100
commite708424b70bef8641e8a090ec4d9e8c4490db87e (patch)
treea7c8e562b6bd47754969b3ec4f43cbb29fa9ca34 /libavcodec/h264.c
parent1a96b27ebfa908f60510be0537508b7c9b370be0 (diff)
downloadffmpeg-e708424b70bef8641e8a090ec4d9e8c4490db87e.tar.gz
avcodec/h264: Disallow pps_id changing between slices
Such changes are forbidden in H.264 and lead to race conditions Fixes out of array read Fixes: signal_sigsegv_f9796a_1613_cov_3114610371_FM1_BT_B.h264 Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Diffstat (limited to 'libavcodec/h264.c')
-rw-r--r--libavcodec/h264.c10
1 files changed, 10 insertions, 0 deletions
diff --git a/libavcodec/h264.c b/libavcodec/h264.c
index 83f4c5895e..9fa2954b3d 100644
--- a/libavcodec/h264.c
+++ b/libavcodec/h264.c
@@ -3509,6 +3509,12 @@ static int decode_slice_header(H264Context *h, H264Context *h0)
pps_id);
return AVERROR_INVALIDDATA;
}
+ if (h0->au_pps_id >= 0 && pps_id != h0->au_pps_id) {
+ av_log(h->avctx, AV_LOG_ERROR,
+ "PPS change from %d to %d forbidden\n",
+ h0->au_pps_id, pps_id);
+ return AVERROR_INVALIDDATA;
+ }
h->pps = *h0->pps_buffers[pps_id];
if (!h0->sps_buffers[h->pps.sps_id]) {
@@ -4104,6 +4110,7 @@ static int decode_slice_header(H264Context *h, H264Context *h0)
if (h->ref_count[0]) h->er.last_pic = &h->ref_list[0][0];
if (h->ref_count[1]) h->er.next_pic = &h->ref_list[1][0];
h->er.ref_count = h->ref_count[0];
+ h0->au_pps_id = pps_id;
if (h->avctx->debug & FF_DEBUG_PICT_INFO) {
av_log(h->avctx, AV_LOG_DEBUG,
@@ -4872,6 +4879,9 @@ static int decode_nal_units(H264Context *h, const uint8_t *buf, int buf_size,
continue;
again:
+ if ( !(avctx->active_thread_type & FF_THREAD_FRAME)
+ || nals_needed >= nal_index)
+ h->au_pps_id = -1;
/* Ignore per frame NAL unit type during extradata
* parsing. Decoding slices is not possible in codec init
* with frame-mt */