avcodec/h264_slice: Do not change frame_num after the first slice

Fixes potential race condition
Fixes: signal_sigsegv_1472ac3_468_cov_2915641226_CABACI3_Sony_B.jsv

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit f906982c9411f3062e3ce68013309b37c213c4dd)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>

1 files changed, 10 insertions, 1 deletions

diff --git a/libavcodec/h264_slice.c b/libavcodec/h264_slice.c
index b1709f9bba..2ed62c9423 100644
--- a/libavcodec/h264_slice.c
+++ b/libavcodec/h264_slice.c
@@ -1306,6 +1306,7 @@ int ff_h264_decode_slice_header(H264Context *h, H264Context *h0)
     int needs_reinit = 0;
     int field_pic_flag, bottom_field_flag;
     int first_slice = h == h0 && !h0->current_slice;
+    int frame_num;
     PPS *pps;
 
     h->qpel_put = h->h264qpel.put_h264_qpel_pixels_tab;
@@ -1515,7 +1516,15 @@ int ff_h264_decode_slice_header(H264Context *h, H264Context *h0)
         h264_init_dequant_tables(h);
     }
 
-    h->frame_num = get_bits(&h->gb, h->sps.log2_max_frame_num);
+    frame_num = get_bits(&h->gb, h->sps.log2_max_frame_num);
+    if (!first_slice) {
+        if (h0->frame_num != frame_num) {
+            av_log(h->avctx, AV_LOG_ERROR, "Frame num change from %d to %d\n",
+                   h0->frame_num, frame_num);
+            return AVERROR_INVALIDDATA;
+        }
+    }
+    h->frame_num = frame_num;
 
     h->mb_mbaff        = 0;
     h->mb_aff_frame    = 0;