diff options
author | Michael Niedermayer <michaelni@gmx.at> | 2014-02-03 23:52:38 +0100 |
---|---|---|
committer | Michael Niedermayer <michaelni@gmx.at> | 2014-02-04 00:07:27 +0100 |
commit | e708424b70bef8641e8a090ec4d9e8c4490db87e (patch) | |
tree | a7c8e562b6bd47754969b3ec4f43cbb29fa9ca34 /libavcodec | |
parent | 1a96b27ebfa908f60510be0537508b7c9b370be0 (diff) | |
download | ffmpeg-e708424b70bef8641e8a090ec4d9e8c4490db87e.tar.gz |
avcodec/h264: Disallow pps_id changing between slices
Such changes are forbidden in H.264 and lead to race conditions
Fixes out of array read
Fixes: signal_sigsegv_f9796a_1613_cov_3114610371_FM1_BT_B.h264
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Diffstat (limited to 'libavcodec')
-rw-r--r-- | libavcodec/h264.c | 10 | ||||
-rw-r--r-- | libavcodec/h264.h | 2 |
2 files changed, 12 insertions, 0 deletions
diff --git a/libavcodec/h264.c b/libavcodec/h264.c index 83f4c5895e..9fa2954b3d 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -3509,6 +3509,12 @@ static int decode_slice_header(H264Context *h, H264Context *h0) pps_id); return AVERROR_INVALIDDATA; } + if (h0->au_pps_id >= 0 && pps_id != h0->au_pps_id) { + av_log(h->avctx, AV_LOG_ERROR, + "PPS change from %d to %d forbidden\n", + h0->au_pps_id, pps_id); + return AVERROR_INVALIDDATA; + } h->pps = *h0->pps_buffers[pps_id]; if (!h0->sps_buffers[h->pps.sps_id]) { @@ -4104,6 +4110,7 @@ static int decode_slice_header(H264Context *h, H264Context *h0) if (h->ref_count[0]) h->er.last_pic = &h->ref_list[0][0]; if (h->ref_count[1]) h->er.next_pic = &h->ref_list[1][0]; h->er.ref_count = h->ref_count[0]; + h0->au_pps_id = pps_id; if (h->avctx->debug & FF_DEBUG_PICT_INFO) { av_log(h->avctx, AV_LOG_DEBUG, @@ -4872,6 +4879,9 @@ static int decode_nal_units(H264Context *h, const uint8_t *buf, int buf_size, continue; again: + if ( !(avctx->active_thread_type & FF_THREAD_FRAME) + || nals_needed >= nal_index) + h->au_pps_id = -1; /* Ignore per frame NAL unit type during extradata * parsing. Decoding slices is not possible in codec init * with frame-mt */ diff --git a/libavcodec/h264.h b/libavcodec/h264.h index 916f1043d1..6606d0b973 100644 --- a/libavcodec/h264.h +++ b/libavcodec/h264.h @@ -390,6 +390,8 @@ typedef struct H264Context { */ PPS pps; // FIXME move to Picture perhaps? (->no) do we need that? + int au_pps_id; ///< pps_id of current access unit + uint32_t dequant4_buffer[6][QP_MAX_NUM + 1][16]; // FIXME should these be moved down? uint32_t dequant8_buffer[6][QP_MAX_NUM + 1][64]; uint32_t(*dequant4_coeff[6])[16]; |