Commit e0febda2 authored by Ronald S. Bultje's avatar Ronald S. Bultje

h264: stricter reference limit enforcement.

Progressive images can have only 16 references, error out if there are
more, since the data is almost certainly corrupt, and the invalid value
will lead to random crashes or invalid writes later on.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
parent 48cbe4b0
...@@ -3021,6 +3021,8 @@ static int decode_slice_header(H264Context *h, H264Context *h0){ ...@@ -3021,6 +3021,8 @@ static int decode_slice_header(H264Context *h, H264Context *h0){
h->ref_count[1]= h->pps.ref_count[1]; h->ref_count[1]= h->pps.ref_count[1];
if(h->slice_type_nos != AV_PICTURE_TYPE_I){ if(h->slice_type_nos != AV_PICTURE_TYPE_I){
int max_refs = s->picture_structure == PICT_FRAME ? 16 : 32;
if(h->slice_type_nos == AV_PICTURE_TYPE_B){ if(h->slice_type_nos == AV_PICTURE_TYPE_B){
h->direct_spatial_mv_pred= get_bits1(&s->gb); h->direct_spatial_mv_pred= get_bits1(&s->gb);
} }
...@@ -3030,13 +3032,14 @@ static int decode_slice_header(H264Context *h, H264Context *h0){ ...@@ -3030,13 +3032,14 @@ static int decode_slice_header(H264Context *h, H264Context *h0){
h->ref_count[0]= get_ue_golomb(&s->gb) + 1; h->ref_count[0]= get_ue_golomb(&s->gb) + 1;
if(h->slice_type_nos==AV_PICTURE_TYPE_B) if(h->slice_type_nos==AV_PICTURE_TYPE_B)
h->ref_count[1]= get_ue_golomb(&s->gb) + 1; h->ref_count[1]= get_ue_golomb(&s->gb) + 1;
}
if(h->ref_count[0]-1 > 32-1 || h->ref_count[1]-1 > 32-1){ if (h->ref_count[0] > max_refs || h->ref_count[1] > max_refs) {
av_log(h->s.avctx, AV_LOG_ERROR, "reference overflow\n"); av_log(h->s.avctx, AV_LOG_ERROR, "reference overflow\n");
h->ref_count[0]= h->ref_count[1]= 1; h->ref_count[0] = h->ref_count[1] = 1;
return -1; return AVERROR_INVALIDDATA;
}
} }
if(h->slice_type_nos == AV_PICTURE_TYPE_B) if(h->slice_type_nos == AV_PICTURE_TYPE_B)
h->list_count= 2; h->list_count= 2;
else else
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment