On Sunday, February 2, 2014, Anton Khirnov <an...@khirnov.net> wrote:
> Fixes possible invalid memory access for mismatching skipped/non-skipped
> slice segments.
>
> Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
> Sample-Id: 00001533-google
> ---
> libavcodec/hevc.c | 8 ++++++++
> libavcodec/hevc.h | 2 ++
> 2 files changed, 10 insertions(+)
This looks ok.
Vittorio
>
> diff --git a/libavcodec/hevc.c b/libavcodec/hevc.c
> index bc89b17..8d9324a 100644
> --- a/libavcodec/hevc.c
> +++ b/libavcodec/hevc.c
> @@ -2471,6 +2471,7 @@ static int hevc_frame_start(HEVCContext *s)
>
> lc->start_of_tiles_x = 0;
> s->is_decoded = 0;
> + s->first_nal_type = s->nal_unit_type;
>
> if (s->pps->tiles_enabled_flag)
> lc->end_of_tiles_x = s->pps->column_width[0] <<
> s->sps->log2_ctb_size;
> @@ -2595,6 +2596,13 @@ static int decode_nal_unit(HEVCContext *s, const
> uint8_t *nal, int length)
> return AVERROR_INVALIDDATA;
> }
>
> + if (s->nal_unit_type != s->first_nal_type) {
> + av_log(s->avctx, AV_LOG_ERROR,
> + "Non-matching NAL types of the VCL NALUs: %d %d\n",
> + s->first_nal_type, s->nal_unit_type);
> + return AVERROR_INVALIDDATA;
> + }
> +
> if (!s->sh.dependent_slice_segment_flag &&
> s->sh.slice_type != I_SLICE) {
> ret = ff_hevc_slice_rpl(s);
> diff --git a/libavcodec/hevc.h b/libavcodec/hevc.h
> index a674899..accfcb6 100644
> --- a/libavcodec/hevc.h
> +++ b/libavcodec/hevc.h
> @@ -840,6 +840,8 @@ typedef struct HEVCContext {
> HEVCNAL *nals;
> int nb_nals;
> int nals_allocated;
> + // type of the first VCL NAL of the current frame
> + enum NALUnitType first_nal_type;
>
> // for checking the frame checksums
> struct AVMD5 *md5_ctx;
> --
> 1.7.10.4
>
> _______________________________________________
> libav-devel mailing list
> libav-devel@libav.org <javascript:;>
> https://lists.libav.org/mailman/listinfo/libav-devel
>
_______________________________________________
libav-devel mailing list
libav-devel@libav.org
https://lists.libav.org/mailman/listinfo/libav-devel
