Commit 11c3381c authored by Michael Niedermayer's avatar Michael Niedermayer

h264: move the default_ref_list_done check down after its inputs have been written

Fixes out of array read

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: 's avatarMichael Niedermayer <michaelni@gmx.at>
parent 3f2ce24f
...@@ -3184,7 +3184,6 @@ static int decode_slice_header(H264Context *h, H264Context *h0) ...@@ -3184,7 +3184,6 @@ static int decode_slice_header(H264Context *h, H264Context *h0)
unsigned int pps_id; unsigned int pps_id;
int num_ref_idx_active_override_flag, ret; int num_ref_idx_active_override_flag, ret;
unsigned int slice_type, tmp, i, j; unsigned int slice_type, tmp, i, j;
int default_ref_list_done = 0;
int last_pic_structure, last_pic_droppable; int last_pic_structure, last_pic_droppable;
int must_reinit; int must_reinit;
int needs_reinit = 0; int needs_reinit = 0;
...@@ -3223,12 +3222,6 @@ static int decode_slice_header(H264Context *h, H264Context *h0) ...@@ -3223,12 +3222,6 @@ static int decode_slice_header(H264Context *h, H264Context *h0)
h->slice_type_fixed = 0; h->slice_type_fixed = 0;
slice_type = golomb_to_pict_type[slice_type]; slice_type = golomb_to_pict_type[slice_type];
if (slice_type == AV_PICTURE_TYPE_I ||
(h0->current_slice != 0 &&
slice_type == h0->last_slice_type &&
!memcmp(h0->last_ref_count, h0->ref_count, sizeof(h0->ref_count)))) {
default_ref_list_done = 1;
}
h->slice_type = slice_type; h->slice_type = slice_type;
h->slice_type_nos = slice_type & 3; h->slice_type_nos = slice_type & 3;
...@@ -3659,9 +3652,12 @@ static int decode_slice_header(H264Context *h, H264Context *h0) ...@@ -3659,9 +3652,12 @@ static int decode_slice_header(H264Context *h, H264Context *h0)
h->list_count = 0; h->list_count = 0;
h->ref_count[0] = h->ref_count[1] = 0; h->ref_count[0] = h->ref_count[1] = 0;
} }
if (slice_type != AV_PICTURE_TYPE_I &&
if (!default_ref_list_done) (h0->current_slice == 0 ||
slice_type != h0->last_slice_type ||
memcmp(h0->last_ref_count, h0->ref_count, sizeof(h0->ref_count)))) {
ff_h264_fill_default_ref_list(h); ff_h264_fill_default_ref_list(h);
}
if (h->slice_type_nos != AV_PICTURE_TYPE_I && if (h->slice_type_nos != AV_PICTURE_TYPE_I &&
ff_h264_decode_ref_pic_list_reordering(h) < 0) { ff_h264_decode_ref_pic_list_reordering(h) < 0) {
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment