diff options
| author | Janne Grunau <janne-libav@jannau.net> | 2012-11-15 22:03:58 +0100 |
|---|---|---|
| committer | Janne Grunau <janne-libav@jannau.net> | 2012-11-16 13:18:28 +0100 |
| commit | 60b6b8c019723bdb3227e1476d706c7989bb94bf (patch) | |
| tree | 5e1fc1e4077bfac5cf62c86f6584e6fe5d65dad7 /libavcodec | |
| parent | 8c3849bc76c124d5803f9db52c7c88a79226323d (diff) | |
| download | ffmpeg-60b6b8c019723bdb3227e1476d706c7989bb94bf.tar.gz | |
h264: always check ref_count for validity
Fixes a crash with zuffed files.
Diffstat (limited to 'libavcodec')
| -rw-r--r-- | libavcodec/h264.c | 18 |
1 files changed, 9 insertions, 9 deletions
diff --git a/libavcodec/h264.c b/libavcodec/h264.c index 8648a8d90b..08957da904 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -2356,7 +2356,7 @@ static int decode_slice_header(H264Context *h, H264Context *h0) MpegEncContext *const s0 = &h0->s; unsigned int first_mb_in_slice; unsigned int pps_id; - int num_ref_idx_active_override_flag; + int num_ref_idx_active_override_flag, max_refs; unsigned int slice_type, tmp, i, j; int default_ref_list_done = 0; int last_pic_structure, last_pic_dropable; @@ -2835,8 +2835,6 @@ static int decode_slice_header(H264Context *h, H264Context *h0) h->ref_count[1] = h->pps.ref_count[1]; if (h->slice_type_nos != AV_PICTURE_TYPE_I) { - int max_refs = s->picture_structure == PICT_FRAME ? 16 : 32; - if (h->slice_type_nos == AV_PICTURE_TYPE_B) h->direct_spatial_mv_pred = get_bits1(&s->gb); num_ref_idx_active_override_flag = get_bits1(&s->gb); @@ -2847,12 +2845,6 @@ static int decode_slice_header(H264Context *h, H264Context *h0) h->ref_count[1] = get_ue_golomb(&s->gb) + 1; } - if (h->ref_count[0] > max_refs || h->ref_count[1] > max_refs) { - av_log(h->s.avctx, AV_LOG_ERROR, "reference overflow\n"); - h->ref_count[0] = h->ref_count[1] = 1; - return AVERROR_INVALIDDATA; - } - if (h->slice_type_nos == AV_PICTURE_TYPE_B) h->list_count = 2; else @@ -2860,6 +2852,14 @@ static int decode_slice_header(H264Context *h, H264Context *h0) } else h->list_count = 0; + max_refs = s->picture_structure == PICT_FRAME ? 16 : 32; + + if (h->ref_count[0] > max_refs || h->ref_count[1] > max_refs) { + av_log(h->s.avctx, AV_LOG_ERROR, "reference overflow\n"); + h->ref_count[0] = h->ref_count[1] = 1; + return AVERROR_INVALIDDATA; + } + if (!default_ref_list_done) ff_h264_fill_default_ref_list(h); |