diff options
| author | Anton Khirnov <anton@khirnov.net> | 2016-07-20 08:31:38 +0200 |
|---|---|---|
| committer | Anton Khirnov <anton@khirnov.net> | 2016-07-20 16:35:55 +0200 |
| commit | 76f7e70aa04fc5dbef5242b11cbf8fe4499f61d4 (patch) | |
| tree | ec5c0f0c759689f318fa8d1328bcf945edc9dd89 /libavcodec/h264dec.c | |
| parent | 1f7b4f9abc6bae94e576e710b8d10117ca3c8238 (diff) | |
| download | ffmpeg-76f7e70aa04fc5dbef5242b11cbf8fe4499f61d4.tar.gz | |
h264dec: handle zero-sized NAL units in get_last_needed_nal()
The current code will ignore the init_get_bits() failure and do an
invalid read from the uninitialized GetBitContext.
Found-By: Jan Ruge <jan.s.ruge@gmail.com>
Bug-Id: 952
Diffstat (limited to 'libavcodec/h264dec.c')
| -rw-r--r-- | libavcodec/h264dec.c | 11 |
1 files changed, 9 insertions, 2 deletions
diff --git a/libavcodec/h264dec.c b/libavcodec/h264dec.c index faa502ed09..4d1702e114 100644 --- a/libavcodec/h264dec.c +++ b/libavcodec/h264dec.c @@ -478,7 +478,7 @@ static void flush_dpb(AVCodecContext *avctx) static int get_last_needed_nal(H264Context *h) { int nals_needed = 0; - int i; + int i, ret; for (i = 0; i < h->pkt.nb_nals; i++) { H2645NAL *nal = &h->pkt.nals[i]; @@ -496,7 +496,14 @@ static int get_last_needed_nal(H264Context *h) case H264_NAL_DPA: case H264_NAL_IDR_SLICE: case H264_NAL_SLICE: - init_get_bits(&gb, nal->data + 1, (nal->size - 1) * 8); + ret = init_get_bits8(&gb, nal->data + 1, nal->size - 1); + if (ret < 0) { + av_log(h->avctx, AV_LOG_ERROR, "Invalid zero-sized VCL NAL unit\n"); + if (h->avctx->err_recognition & AV_EF_EXPLODE) + return ret; + + break; + } if (!get_ue_golomb(&gb)) nals_needed = i; } |