highperfocused/ffmpeg
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

h264dec: handle zero-sized NAL units in get_last_needed_nal()

Browse Source 
The current code will ignore the init_get_bits() failure and do an
invalid read from the uninitialized GetBitContext.

Found-By: Jan Ruge <jan.s.ruge@gmail.com>
Bug-Id: 952
This commit is contained in:
Anton Khirnov
2016-07-20 08:31:38 +02:00
parent 1f7b4f9abc
commit 76f7e70aa0
1 changed files with 9 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
libavcodec/h264dec.c
View File

@ -478,7 +478,7 @@ static void flush_dpb(AVCodecContext *avctx)
static int get_last_needed_nal(H264Context *h) static int get_last_needed_nal(H264Context *h)
{ {
int nals_needed = 0; int nals_needed = 0;
int i; int i, ret;
for (i = 0; i < h->pkt.nb_nals; i++) { for (i = 0; i < h->pkt.nb_nals; i++) {
H2645NAL *nal = &h->pkt.nals[i]; H2645NAL *nal = &h->pkt.nals[i];
@ -496,7 +496,14 @@ static int get_last_needed_nal(H264Context *h)
case H264_NAL_DPA: case H264_NAL_DPA:
case H264_NAL_IDR_SLICE: case H264_NAL_IDR_SLICE:
case H264_NAL_SLICE: case H264_NAL_SLICE:
init_get_bits(&gb, nal->data + 1, (nal->size - 1) * 8); ret = init_get_bits8(&gb, nal->data + 1, nal->size - 1);
if (ret < 0) {
av_log(h->avctx, AV_LOG_ERROR, "Invalid zero-sized VCL NAL unit\n");
if (h->avctx->err_recognition & AV_EF_EXPLODE)
return ret;
break;
}
if (!get_ue_golomb(&gb)) if (!get_ue_golomb(&gb))
nals_needed = i; nals_needed = i;
} }