h264dec: Prevent CABAC and CAVLC bitsteram overreading

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 23f5cff92cdcfa55a735c458fcb5f95c0e0f3b1f)

2 files changed, 13 insertions, 7 deletions

diff --git a/libavcodec/h264.c b/libavcodec/h264.c
index 3701bc9b73..ee2c6a31a0 100644
--- a/libavcodec/h264.c
+++ b/libavcodec/h264.c
@@ -183,20 +183,24 @@ const uint8_t *ff_h264_decode_nal(H264Context *h, const uint8_t *src, int *dst_l
         i-= RS;
     }
 
-    if(i>=length-1){ //no escaped 0
-        *dst_length= length;
-        *consumed= length+1; //+1 for the header
-        return src;
-    }
-
     bufidx = h->nal_unit_type == NAL_DPC ? 1 : 0; // use second escape buffer for inter data
-    av_fast_malloc(&h->rbsp_buffer[bufidx], &h->rbsp_buffer_size[bufidx], length+FF_INPUT_BUFFER_PADDING_SIZE);
+    si=h->rbsp_buffer_size[bufidx];
+    av_fast_malloc(&h->rbsp_buffer[bufidx], &h->rbsp_buffer_size[bufidx], length+FF_INPUT_BUFFER_PADDING_SIZE+MAX_MBPAIR_SIZE);
     dst= h->rbsp_buffer[bufidx];
+    if(si != h->rbsp_buffer_size[bufidx])
+        memset(dst + length, 0, FF_INPUT_BUFFER_PADDING_SIZE+MAX_MBPAIR_SIZE);
 
     if (dst == NULL){
         return NULL;
     }
 
+    if(i>=length-1){ //no escaped 0
+        *dst_length= length;
+        *consumed= length+1; //+1 for the header
+        memcpy(dst, src, length);
+        return dst;
+    }
+
 //printf("decoding esc\n");
     memcpy(dst, src, i);
     si=di=i;
diff --git a/libavcodec/h264.h b/libavcodec/h264.h
index 4188ad922c..76e9832975 100644
--- a/libavcodec/h264.h
+++ b/libavcodec/h264.h
@@ -53,6 +53,8 @@
 
 #define MAX_DELAYED_PIC_COUNT 16
 
+#define MAX_MBPAIR_SIZE (256*1024) // a tighter bound could be calculated if someone cares about a few bytes
+
 /* Compiling in interlaced support reduces the speed
  * of progressive decoding by about 2%. */
 #define ALLOW_INTERLACE