On Wed, Jul 30, 2014 at 07:52:01PM +0100, Vittorio Giovara wrote:
> Properly address CVE-2011-3946 and parse bitstream as described in the spec.
>
> CC: [email protected]
> Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
> ---
> libavcodec/h264_sei.c | 17 +++++++++++------
> 1 file changed, 11 insertions(+), 6 deletions(-)
>
> diff --git a/libavcodec/h264_sei.c b/libavcodec/h264_sei.c
> index 33230b7..641ee1d 100644
> --- a/libavcodec/h264_sei.c
> +++ b/libavcodec/h264_sei.c
> @@ -222,14 +222,19 @@ int ff_h264_decode_sei(H264Context *h)
> int size = 0;
> int type = 0;
> int ret = 0;
> + int last = 0;
>
> - do
> - type += show_bits(&h->gb, 8);
> - while (get_bits(&h->gb, 8) == 255);
> + while (get_bits_left(&h->gb) >= 8 &&
> + (last = get_bits(&h->gb, 8)) == 255) {
> + type += 255;
> + }
> + type += last;
>
> - do
> - size += show_bits(&h->gb, 8);
> - while (get_bits(&h->gb, 8) == 255);
last = 0 missing here?
> + while (get_bits_left(&h->gb) >= 8 &&
> + (last = get_bits(&h->gb, 8)) == 255) {
> + size += 255;
> + }
> + size += last;
>
> if (size > get_bits_left(&h->gb) / 8) {
> av_log(h->avctx, AV_LOG_ERROR, "SEI type %d truncated at %d\n",
> --
_______________________________________________
libav-devel mailing list
[email protected]
https://lists.libav.org/mailman/listinfo/libav-devel
