[libav-devel] [PATCH 05/10] h264: rebuild the default ref list if the reference count changes

[Anton Khirnov]

Fixes possible access to freed memory.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-sta...@libav.org
---
 libavcodec/h264.c |   34 +++++++++++++++++++++++-----------
 1 file changed, 23 insertions(+), 11 deletions(-)

diff --git a/libavcodec/h264.c b/libavcodec/h264.c
index 3aa3af0..e3dfbfb 100644
--- a/libavcodec/h264.c
+++ b/libavcodec/h264.c
@@ -3275,11 +3275,12 @@ static int h264_slice_header_init(H264Context *h, int 
reinit)
 
 int ff_set_ref_count(H264Context *h)
 {
+    int ref_count[2], list_count;
     int num_ref_idx_active_override_flag, max_refs;
 
     // set defaults, might be overridden a few lines later
-    h->ref_count[0] = h->pps.ref_count[0];
-    h->ref_count[1] = h->pps.ref_count[1];
+    ref_count[0] = h->pps.ref_count[0];
+    ref_count[1] = h->pps.ref_count[1];
 
     if (h->slice_type_nos != AV_PICTURE_TYPE_I) {
         if (h->slice_type_nos == AV_PICTURE_TYPE_B)
@@ -3287,33 +3288,42 @@ int ff_set_ref_count(H264Context *h)
         num_ref_idx_active_override_flag = get_bits1(&h->gb);
 
         if (num_ref_idx_active_override_flag) {
-            h->ref_count[0] = get_ue_golomb(&h->gb) + 1;
-            if (h->ref_count[0] < 1)
+            ref_count[0] = get_ue_golomb(&h->gb) + 1;
+            if (ref_count[0] < 1)
                 return AVERROR_INVALIDDATA;
             if (h->slice_type_nos == AV_PICTURE_TYPE_B) {
-                h->ref_count[1] = get_ue_golomb(&h->gb) + 1;
-                if (h->ref_count[1] < 1)
+                ref_count[1] = get_ue_golomb(&h->gb) + 1;
+                if (ref_count[1] < 1)
                     return AVERROR_INVALIDDATA;
             }
         }
 
         if (h->slice_type_nos == AV_PICTURE_TYPE_B)
-            h->list_count = 2;
+            list_count = 2;
         else
-            h->list_count = 1;
+            list_count = 1;
     } else {
-        h->list_count   = 0;
-        h->ref_count[0] = h->ref_count[1] = 0;
+        list_count   = 0;
+        ref_count[0] = ref_count[1] = 0;
     }
 
     max_refs = h->picture_structure == PICT_FRAME ? 16 : 32;
 
-    if (h->ref_count[0] > max_refs || h->ref_count[1] > max_refs) {
+    if (ref_count[0] > max_refs || ref_count[1] > max_refs) {
         av_log(h->avctx, AV_LOG_ERROR, "reference overflow\n");
         h->ref_count[0] = h->ref_count[1] = 0;
         return AVERROR_INVALIDDATA;
     }
 
+    if (list_count != h->list_count ||
+        ref_count[0] != h->ref_count[0] ||
+        ref_count[1] != h->ref_count[1]) {
+        h->ref_count[0] = ref_count[0];
+        h->ref_count[1] = ref_count[1];
+        h->list_count   = list_count;
+        return 1;
+    }
+
     return 0;
 }
 
@@ -3741,6 +3751,8 @@ static int decode_slice_header(H264Context *h, 
H264Context *h0)
     ret = ff_set_ref_count(h);
     if (ret < 0)
         return ret;
+    else if (ret == 1)
+        default_ref_list_done = 0;
 
     if (!default_ref_list_done)
         ff_h264_fill_default_ref_list(h);
-- 
1.7.10.4

_______________________________________________
libav-devel mailing list
libav-devel@libav.org
https://lists.libav.org/mailman/listinfo/libav-devel