Prevents writes beyond the end of buffer when MBAFF frames reference a field picture with ref_count > 16. Fixes a crash due to trashed decoder context with the fuzzed sample CVMANL2_TOSHIBA_B.264_s7625. --- libavcodec/h264_direct.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/libavcodec/h264_direct.c b/libavcodec/h264_direct.c index cc6e018..f0c6eb5 100644 --- a/libavcodec/h264_direct.c +++ b/libavcodec/h264_direct.c @@ -25,6 +25,8 @@ * @author Michael Niedermayer <[email protected]> */ +#include "libavutil/avassert.h" + #include "internal.h" #include "dsputil.h" #include "avcodec.h" @@ -78,9 +80,15 @@ static void fill_colmap(H264Context *h, int map[2][16+32], int list, int field, memset(map[list], 0, sizeof(map[list])); for(rfield=0; rfield<2; rfield++){ - for(old_ref=0; old_ref<ref1->ref_count[colfield][list]; old_ref++){ + // FIXME: this function assumes ref_count never to exceed 16 + int ref_count = ref1->ref_count[colfield][list]; + if (ref_count > 16) { + ref_count = 16; + av_log_missing_feature(s->avctx, "Direct spatial prediction with " + "ref_count > 16", 1); + } + for (old_ref = 0; old_ref < ref_count; old_ref++) { int poc = ref1->ref_poc[colfield][list][old_ref]; - if (!interl) poc |= 3; else if( interl && (poc&3) == 3) //FIXME store all MBAFF references so this isnt needed -- 1.7.12.4 _______________________________________________ libav-devel mailing list [email protected] https://lists.libav.org/mailman/listinfo/libav-devel
