Module: libav Branch: master Commit: 76f7e70aa04fc5dbef5242b11cbf8fe4499f61d4
Author: Anton Khirnov <[email protected]> Committer: Anton Khirnov <[email protected]> Date: Wed Jul 20 08:31:38 2016 +0200 h264dec: handle zero-sized NAL units in get_last_needed_nal() The current code will ignore the init_get_bits() failure and do an invalid read from the uninitialized GetBitContext. Found-By: Jan Ruge <[email protected]> Bug-Id: 952 --- libavcodec/h264dec.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/libavcodec/h264dec.c b/libavcodec/h264dec.c index faa502e..4d1702e 100644 --- a/libavcodec/h264dec.c +++ b/libavcodec/h264dec.c @@ -478,7 +478,7 @@ static void flush_dpb(AVCodecContext *avctx) static int get_last_needed_nal(H264Context *h) { int nals_needed = 0; - int i; + int i, ret; for (i = 0; i < h->pkt.nb_nals; i++) { H2645NAL *nal = &h->pkt.nals[i]; @@ -496,7 +496,14 @@ static int get_last_needed_nal(H264Context *h) case H264_NAL_DPA: case H264_NAL_IDR_SLICE: case H264_NAL_SLICE: - init_get_bits(&gb, nal->data + 1, (nal->size - 1) * 8); + ret = init_get_bits8(&gb, nal->data + 1, nal->size - 1); + if (ret < 0) { + av_log(h->avctx, AV_LOG_ERROR, "Invalid zero-sized VCL NAL unit\n"); + if (h->avctx->err_recognition & AV_EF_EXPLODE) + return ret; + + break; + } if (!get_ue_golomb(&gb)) nals_needed = i; } _______________________________________________ libav-commits mailing list [email protected] https://lists.libav.org/mailman/listinfo/libav-commits
