Avoid OOB reads in nal parsing.

source/patched-ffmpeg/libavcodec/h264.c

 /*
  * H.26L/H.264/AVC/JVT/14496-10/... decoder
  * Copyright (c) 2003 Michael Niedermayer <michaelni@gmx.at>
  *
  * This file is part of FFmpeg.
  *
  * FFmpeg is free software; you can redistribute it and/or
  * modify it under the terms of the GNU Lesser General Public
  * License as published by the Free Software Foundation; either
  * version 2.1 of the License, or (at your option) any later version.
@@ skipping 970 matching lines @@
 
     memset(h->pps.scaling_matrix4, 16, 6*16*sizeof(uint8_t));
     memset(h->pps.scaling_matrix8, 16, 2*64*sizeof(uint8_t));
 }
 
 int ff_h264_decode_extradata(H264Context *h)
 {
     AVCodecContext *avctx = h->s.avctx;
 
     if(avctx->extradata[0] == 1){
-        int i, cnt, nalsize;
+        int i, cnt, nalsize, size_left;
         unsigned char *p = avctx->extradata;
+        size_left = avctx->extradata_size;
 
         h->is_avc = 1;
 
-        if(avctx->extradata_size < 7) {
+        if(size_left < 7) {
             av_log(avctx, AV_LOG_ERROR, "avcC too short\n");
             return -1;
         }
         /* sps and pps in the avcC always have length coded with 2 bytes,
            so put a fake nal_length_size = 2 while parsing them */
         h->nal_length_size = 2;
         // Decode sps from avcC
         cnt = *(p+5) & 0x1f; // Number of sps
         p += 6;
+        size_left -= 6;
         for (i = 0; i < cnt; i++) {
+            if (size_left < 2) {
+                av_log(avctx, AV_LOG_ERROR, "Cannot read sps nalsize\n");
+                return -1;
+            }
             nalsize = AV_RB16(p) + 2;
+            if (size_left < nalsize) {
+                av_log(avctx, AV_LOG_ERROR, "sps nalsize too big\n");
+                return -1;
+            }
             if(decode_nal_units(h, p, nalsize) < 0) {
                 av_log(avctx, AV_LOG_ERROR, "Decoding sps %d from avcC failed\n", i);
                 return -1;
             }
             p += nalsize;
+            size_left -= nalsize;
         }
         // Decode pps from avcC
+        if(!size_left) {
+            av_log(avctx, AV_LOG_ERROR, "Cannot read pps count\n");
+            return -1;
+        }
         cnt = *(p++); // Number of pps
+        --size_left;
         for (i = 0; i < cnt; i++) {
+            if (size_left < 2) {
+                av_log(avctx, AV_LOG_ERROR, "Cannot read pps nalsize\n");
+                return -1;
+            }
             nalsize = AV_RB16(p) + 2;
+            if (size_left < nalsize) {
+                av_log(avctx, AV_LOG_ERROR, "pps nalsize too big\n");
+                return -1;
+            }
             if (decode_nal_units(h, p, nalsize) < 0) {
                 av_log(avctx, AV_LOG_ERROR, "Decoding pps %d from avcC failed\n", i);
                 return -1;
             }
             p += nalsize;
+            size_left -= nalsize;
         }
         // Now store right nal length size, that will be use to parse all other nals
         h->nal_length_size = (avctx->extradata[4] & 0x03) + 1;
     } else {
         h->is_avc = 0;
         if(decode_nal_units(h, avctx->extradata, avctx->extradata_size) < 0)
             return -1;
     }
     return 0;
 }
@@ skipping 3126 matching lines @@
     NULL,
     ff_h264_decode_end,
     decode_frame,
     CODEC_CAP_DR1 | CODEC_CAP_DELAY | CODEC_CAP_HWACCEL_VDPAU,
     .flush= flush_dpb,
     .long_name = NULL_IF_CONFIG_SMALL("H.264 / AVC / MPEG-4 AVC / MPEG-4 part 10 (VDPAU acceleration)"),
     .pix_fmts = (const enum PixelFormat[]){PIX_FMT_VDPAU_H264, PIX_FMT_NONE},
     .profiles = NULL_IF_CONFIG_SMALL(profiles),
 };
 #endif