diff options
| author | Anton Khirnov <anton@khirnov.net> | 2013-11-28 10:54:35 +0100 |
|---|---|---|
| committer | Anton Khirnov <anton@khirnov.net> | 2014-01-06 08:25:25 +0100 |
| commit | 9eef9eb3014b2ed9c3ff4aac510a9f04edb555cf (patch) | |
| tree | 900204307fecc218b6fdc201cf0a35cd87cf31f9 /libavcodec | |
| parent | bfd26b7ce6efea594f2b99441d900419df3af638 (diff) | |
| download | ffmpeg-9eef9eb3014b2ed9c3ff4aac510a9f04edb555cf.tar.gz | |
h264: check that execute_decode_slices() is not called too many times
Fixes invalid reads.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
Diffstat (limited to 'libavcodec')
| -rw-r--r-- | libavcodec/h264.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/libavcodec/h264.c b/libavcodec/h264.c index c0dfa3d638..7d49d4877d 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -4495,6 +4495,12 @@ static int execute_decode_slices(H264Context *h, int context_count) H264Context *hx; int i; + if (h->mb_y >= h->mb_height) { + av_log(h->avctx, AV_LOG_ERROR, + "Input contains more MB rows than the frame height.\n"); + return AVERROR_INVALIDDATA; + } + if (h->avctx->hwaccel) return 0; if (context_count == 1) { |