Commit 57764c69 authored by Laurent Aimar's avatar Laurent Aimar Committed by Michael Niedermayer

h264: Check for out of bounds reads in ff_h264_decode_extradata().

Signed-off-by: 's avatarMichael Niedermayer <michaelni@gmx.at>
parent 87f5e797
...@@ -1013,6 +1013,8 @@ int ff_h264_decode_extradata(H264Context *h, const uint8_t *buf, int size) ...@@ -1013,6 +1013,8 @@ int ff_h264_decode_extradata(H264Context *h, const uint8_t *buf, int size)
p += 6; p += 6;
for (i = 0; i < cnt; i++) { for (i = 0; i < cnt; i++) {
nalsize = AV_RB16(p) + 2; nalsize = AV_RB16(p) + 2;
if(nalsize > size - (p-buf))
return -1;
if(decode_nal_units(h, p, nalsize) < 0) { if(decode_nal_units(h, p, nalsize) < 0) {
av_log(avctx, AV_LOG_ERROR, "Decoding sps %d from avcC failed\n", i); av_log(avctx, AV_LOG_ERROR, "Decoding sps %d from avcC failed\n", i);
return -1; return -1;
...@@ -1023,6 +1025,8 @@ int ff_h264_decode_extradata(H264Context *h, const uint8_t *buf, int size) ...@@ -1023,6 +1025,8 @@ int ff_h264_decode_extradata(H264Context *h, const uint8_t *buf, int size)
cnt = *(p++); // Number of pps cnt = *(p++); // Number of pps
for (i = 0; i < cnt; i++) { for (i = 0; i < cnt; i++) {
nalsize = AV_RB16(p) + 2; nalsize = AV_RB16(p) + 2;
if(nalsize > size - (p-buf))
return -1;
if (decode_nal_units(h, p, nalsize) < 0) { if (decode_nal_units(h, p, nalsize) < 0) {
av_log(avctx, AV_LOG_ERROR, "Decoding pps %d from avcC failed\n", i); av_log(avctx, AV_LOG_ERROR, "Decoding pps %d from avcC failed\n", i);
return -1; return -1;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment