Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Contribute to GitLab
Sign in / Register
Toggle navigation
F
ffmpeg.wasm-core
Project
Project
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Linshizhi
ffmpeg.wasm-core
Commits
60b6b8c0
Commit
60b6b8c0
authored
Nov 15, 2012
by
Janne Grunau
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
h264: always check ref_count for validity
Fixes a crash with zuffed files.
parent
8c3849bc
Hide whitespace changes
Inline
Side-by-side
Showing
1 changed file
with
9 additions
and
9 deletions
+9
-9
h264.c
libavcodec/h264.c
+9
-9
No files found.
libavcodec/h264.c
View file @
60b6b8c0
...
...
@@ -2356,7 +2356,7 @@ static int decode_slice_header(H264Context *h, H264Context *h0)
MpegEncContext
*
const
s0
=
&
h0
->
s
;
unsigned
int
first_mb_in_slice
;
unsigned
int
pps_id
;
int
num_ref_idx_active_override_flag
;
int
num_ref_idx_active_override_flag
,
max_refs
;
unsigned
int
slice_type
,
tmp
,
i
,
j
;
int
default_ref_list_done
=
0
;
int
last_pic_structure
,
last_pic_dropable
;
...
...
@@ -2835,8 +2835,6 @@ static int decode_slice_header(H264Context *h, H264Context *h0)
h
->
ref_count
[
1
]
=
h
->
pps
.
ref_count
[
1
];
if
(
h
->
slice_type_nos
!=
AV_PICTURE_TYPE_I
)
{
int
max_refs
=
s
->
picture_structure
==
PICT_FRAME
?
16
:
32
;
if
(
h
->
slice_type_nos
==
AV_PICTURE_TYPE_B
)
h
->
direct_spatial_mv_pred
=
get_bits1
(
&
s
->
gb
);
num_ref_idx_active_override_flag
=
get_bits1
(
&
s
->
gb
);
...
...
@@ -2847,12 +2845,6 @@ static int decode_slice_header(H264Context *h, H264Context *h0)
h
->
ref_count
[
1
]
=
get_ue_golomb
(
&
s
->
gb
)
+
1
;
}
if
(
h
->
ref_count
[
0
]
>
max_refs
||
h
->
ref_count
[
1
]
>
max_refs
)
{
av_log
(
h
->
s
.
avctx
,
AV_LOG_ERROR
,
"reference overflow
\n
"
);
h
->
ref_count
[
0
]
=
h
->
ref_count
[
1
]
=
1
;
return
AVERROR_INVALIDDATA
;
}
if
(
h
->
slice_type_nos
==
AV_PICTURE_TYPE_B
)
h
->
list_count
=
2
;
else
...
...
@@ -2860,6 +2852,14 @@ static int decode_slice_header(H264Context *h, H264Context *h0)
}
else
h
->
list_count
=
0
;
max_refs
=
s
->
picture_structure
==
PICT_FRAME
?
16
:
32
;
if
(
h
->
ref_count
[
0
]
>
max_refs
||
h
->
ref_count
[
1
]
>
max_refs
)
{
av_log
(
h
->
s
.
avctx
,
AV_LOG_ERROR
,
"reference overflow
\n
"
);
h
->
ref_count
[
0
]
=
h
->
ref_count
[
1
]
=
1
;
return
AVERROR_INVALIDDATA
;
}
if
(
!
default_ref_list_done
)
ff_h264_fill_default_ref_list
(
h
);
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment