aboutsummaryrefslogtreecommitdiffstats
path: root/libavcodec
diff options
context:
space:
mode:
authorJanne Grunau <janne-libav@jannau.net>2012-11-25 16:02:02 +0100
committerJanne Grunau <janne-libav@jannau.net>2012-11-27 12:26:33 +0100
commit6e5cdf26281945ddea3aaf5eca4d127791f23ca8 (patch)
treefb6f58ad063d041d3237e2556048e47393be88dc /libavcodec
parent150b2361ca08085415c8d67a9b1b2a6fbe1c44be (diff)
downloadffmpeg-6e5cdf26281945ddea3aaf5eca4d127791f23ca8.tar.gz
h264: check ref_count validity for num_ref_idx_active_override_flag
Fixes segfault in the fuzzed sample bipbop234.ts_s226407. CC: libav-stable@libav.org
Diffstat (limited to 'libavcodec')
-rw-r--r--libavcodec/h264.c7
1 files changed, 6 insertions, 1 deletions
diff --git a/libavcodec/h264.c b/libavcodec/h264.c
index 5440d7bc31..8226d74326 100644
--- a/libavcodec/h264.c
+++ b/libavcodec/h264.c
@@ -2841,8 +2841,13 @@ static int decode_slice_header(H264Context *h, H264Context *h0)
if (num_ref_idx_active_override_flag) {
h->ref_count[0] = get_ue_golomb(&s->gb) + 1;
- if (h->slice_type_nos == AV_PICTURE_TYPE_B)
+ if (h->ref_count[0] < 1)
+ return AVERROR_INVALIDDATA;
+ if (h->slice_type_nos == AV_PICTURE_TYPE_B) {
h->ref_count[1] = get_ue_golomb(&s->gb) + 1;
+ if (h->ref_count[1] < 1)
+ return AVERROR_INVALIDDATA;
+ }
}
if (h->slice_type_nos == AV_PICTURE_TYPE_B)