h264dec: handle zero-sized NAL units in get_last_needed_nal()

The current code will ignore the init_get_bits() failure and do an invalid read from the uninitialized GetBitContext. Found-By: Jan Ruge <jan.s.ruge@gmail.com> Bug-Id: 952

h264dec: handle zero-sized NAL units in get_last_needed_nal()
The current code will ignore the init_get_bits() failure and do an invalid read from the uninitialized GetBitContext. Found-By: Jan Ruge <jan.s.ruge@gmail.com> Bug-Id: 952
76f7e70a · Anton Khirnov · 1f7b4f9a · 76f7e70a
Commit 76f7e70a authored Jul 20, 2016 by Anton Khirnov
Hide whitespace changes
Inline Side-by-side

Showing with 9 additions and 2 deletions

h264dec.c libavcodec/h264dec.c +9 -2

No files found.
--- a/libavcodec/h264dec.c
+++ b/libavcodec/h264dec.c
@@ -478,7 +478,7 @@ static void flush_dpb(AVCodecContext *avctx)
 static int get_last_needed_nal(H264Context *h)
 {
    int nals_needed = 0;
-    int i;
+    int i, ret;
    for (i = 0; i < h->pkt.nb_nals; i++) {
        H2645NAL *nal = &h->pkt.nals[i];
@@ -496,7 +496,14 @@ static int get_last_needed_nal(H264Context *h)
        case H264_NAL_DPA:
        case H264_NAL_IDR_SLICE:
        case H264_NAL_SLICE:
-            init_get_bits(&gb, nal->data + 1, (nal->size - 1) * 8);
+            ret = init_get_bits8(&gb, nal->data + 1, nal->size - 1);
+            if (ret < 0) {
+                av_log(h->avctx, AV_LOG_ERROR, "Invalid zero-sized VCL NAL unit\n");
+                if (h->avctx->err_recognition & AV_EF_EXPLODE)
+                    return ret;
+                break;
+            }
            if (!get_ue_golomb(&gb))
                nals_needed = i;
        }