source/patched-ffmpeg/libavcodec/h264.c - Issue 9340008: Avoid OOB reads in nal parsing.

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Unified Diff: source/patched-ffmpeg/libavcodec/h264.c

Issue 9340008: Avoid OOB reads in nal parsing. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/deps/third_party/ffmpeg/

Patch Set: Created 8 years, 10 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: source/patched-ffmpeg/libavcodec/h264.c

===================================================================

--- source/patched-ffmpeg/libavcodec/h264.c (revision 120628)

+++ source/patched-ffmpeg/libavcodec/h264.c (working copy)

@@ -988,12 +988,13 @@

AVCodecContext *avctx = h->s.avctx;

if(avctx->extradata[0] == 1){

- int i, cnt, nalsize;

+ int i, cnt, nalsize, size_left;

unsigned char *p = avctx->extradata;

+ size_left = avctx->extradata_size;

h->is_avc = 1;

- if(avctx->extradata_size < 7) {

+ if(size_left < 7) {

av_log(avctx, AV_LOG_ERROR, "avcC too short\n");

return -1;

}

@@ -1003,23 +1004,47 @@

// Decode sps from avcC

cnt = *(p+5) & 0x1f; // Number of sps

p += 6;

+ size_left -= 6;

for (i = 0; i < cnt; i++) {

+ if (size_left < 2) {

+ av_log(avctx, AV_LOG_ERROR, "Cannot read sps nalsize\n");

+ return -1;

+ }

nalsize = AV_RB16(p) + 2;

+ if (size_left < nalsize) {

+ av_log(avctx, AV_LOG_ERROR, "sps nalsize too big\n");

+ return -1;

+ }

if(decode_nal_units(h, p, nalsize) < 0) {

av_log(avctx, AV_LOG_ERROR, "Decoding sps %d from avcC failed\n", i);

return -1;

}

p += nalsize;

+ size_left -= nalsize;

}

// Decode pps from avcC

+ if(!size_left) {

+ av_log(avctx, AV_LOG_ERROR, "Cannot read pps count\n");

+ return -1;

+ }

cnt = *(p++); // Number of pps

+ --size_left;

for (i = 0; i < cnt; i++) {

+ if (size_left < 2) {

+ av_log(avctx, AV_LOG_ERROR, "Cannot read pps nalsize\n");

+ return -1;

+ }

nalsize = AV_RB16(p) + 2;

+ if (size_left < nalsize) {

+ av_log(avctx, AV_LOG_ERROR, "pps nalsize too big\n");

+ return -1;

+ }

if (decode_nal_units(h, p, nalsize) < 0) {

av_log(avctx, AV_LOG_ERROR, "Decoding pps %d from avcC failed\n", i);

return -1;

}

p += nalsize;

+ size_left -= nalsize;

}

// Now store right nal length size, that will be use to parse all other nals

h->nal_length_size = (avctx->extradata[4] & 0x03) + 1;

« no previous file with comments | « patches/to_upstream/55_h264_nal.patch ('k') | no next file » | no next file with comments »