diff options
| author | Anton Khirnov <anton@khirnov.net> | 2013-11-28 10:54:35 +0100 |
|---|---|---|
| committer | Reinhard Tartler <siretart@tauware.de> | 2014-05-31 20:05:18 -0400 |
| commit | 7f33a24e824c6d20cb941e6b20c5382becfbc923 (patch) | |
| tree | c3d31cbef0e41b419f12e0818b2d67fa5de9d8a6 /libavcodec | |
| parent | 0f71a5df4bc913f17a53c7ac66d4957914fa1d3d (diff) | |
| download | ffmpeg-7f33a24e824c6d20cb941e6b20c5382becfbc923.tar.gz | |
h264: check that execute_decode_slices() is not called too many times
Fixes invalid reads.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable@libav.org
Diffstat (limited to 'libavcodec')
| -rw-r--r-- | libavcodec/h264.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/libavcodec/h264.c b/libavcodec/h264.c index 886fc047fb..7d1945fc1e 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -3818,6 +3818,12 @@ static int execute_decode_slices(H264Context *h, int context_count){ H264Context *hx; int i; + if (s->mb_y >= s->mb_height) { + av_log(s->avctx, AV_LOG_ERROR, + "Input contains more MB rows than the frame height.\n"); + return AVERROR_INVALIDDATA; + } + if (s->avctx->hwaccel || s->avctx->codec->capabilities&CODEC_CAP_HWACCEL_VDPAU) return 0; if(context_count == 1) { |