Skip to content

F
ffmpeg.wasm-core
Commit dc9ce400 authored by Michael Niedermayer's avatar Michael Niedermayer
Browse files
Options

h264: More correct ref_count check in decode_slice_header() 

Signed-off-by: 's avatarMichael Niedermayer <michaelni@gmx.at>
parent 514c44c4
Hide whitespace changes
Inline Side-by-side
Showing with 6 additions and 5 deletions
libavcodec/h264.c
View file @ dc9ce400
...@@ -2881,6 +2881,7 @@ static int decode_slice_header(H264Context *h, H264Context *h0){ ...@@ -2881,6 +2881,7 @@ static int decode_slice_header(H264Context *h, H264Context *h0){
h->ref_count[1]= h->pps.ref_count[1]; h->ref_count[1]= h->pps.ref_count[1];
if(h->slice_type_nos != AV_PICTURE_TYPE_I){ if(h->slice_type_nos != AV_PICTURE_TYPE_I){
unsigned max= (16<<(s->picture_structure != PICT_FRAME))-1;
if(h->slice_type_nos == AV_PICTURE_TYPE_B){ if(h->slice_type_nos == AV_PICTURE_TYPE_B){
h->direct_spatial_mv_pred= get_bits1(&s->gb); h->direct_spatial_mv_pred= get_bits1(&s->gb);
} }
...@@ -2891,11 +2892,11 @@ static int decode_slice_header(H264Context *h, H264Context *h0){ ...@@ -2891,11 +2892,11 @@ static int decode_slice_header(H264Context *h, H264Context *h0){
if(h->slice_type_nos==AV_PICTURE_TYPE_B) if(h->slice_type_nos==AV_PICTURE_TYPE_B)
h->ref_count[1]= get_ue_golomb(&s->gb) + 1; h->ref_count[1]= get_ue_golomb(&s->gb) + 1;
if(h->ref_count[0]-1 > 32-1 || h->ref_count[1]-1 > 32-1){ }
av_log(h->s.avctx, AV_LOG_ERROR, "reference overflow\n"); if(h->ref_count[0]-1 > max || h->ref_count[1]-1 > max){
h->ref_count[0]= h->ref_count[1]= 1; av_log(h->s.avctx, AV_LOG_ERROR, "reference overflow\n");
return -1; h->ref_count[0]= h->ref_count[1]= 1;
} return -1;
} }
if(h->slice_type_nos == AV_PICTURE_TYPE_B) if(h->slice_type_nos == AV_PICTURE_TYPE_B)
h->list_count= 2; h->list_count= 2;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment