Fix valgrind and asan memory leaks and crashes.

chromium/patches/to_upstream/55_h264_nal.patch

Index: chromium/patches/to_upstream/55_h264_nal.patch
diff --git a/chromium/patches/to_upstream/55_h264_nal.patch b/chromium/patches/to_upstream/55_h264_nal.patch
index d46449344e58bca1dca3b12b82cb4d5fd022748f..8c2b6d5b4fcdff7c70000c6897a00f7c10f23355 100644
--- a/chromium/patches/to_upstream/55_h264_nal.patch
+++ b/chromium/patches/to_upstream/55_h264_nal.patch
@@ -1,67 +1,27 @@
-diff -wurp -N orig/libavcodec/h264.c ffmpeg/libavcodec/h264.c
---- orig/libavcodec/h264.c	2012-02-06 14:02:09.990431439 -0800
-+++ ffmpeg/libavcodec/h264.c	2012-02-06 14:06:11.752827405 -0800
-@@ -988,12 +988,13 @@ int ff_h264_decode_extradata(H264Context
-     AVCodecContext *avctx = h->s.avctx;
- 
-     if(avctx->extradata[0] == 1){
--        int i, cnt, nalsize;
-+        int i, cnt, nalsize, size_left;
-         unsigned char *p = avctx->extradata;
-+        size_left = avctx->extradata_size;
- 
-         h->is_avc = 1;
- 
--        if(avctx->extradata_size < 7) {
-+        if(size_left < 7) {
-             av_log(avctx, AV_LOG_ERROR, "avcC too short\n");
-             return -1;
-         }
-@@ -1003,23 +1004,47 @@ int ff_h264_decode_extradata(H264Context
-         // Decode sps from avcC
+diff --git a/libavcodec/h264.c b/libavcodec/h264.c
+index 7a16bda..2fea444 100644
+--- a/libavcodec/h264.c
++++ b/libavcodec/h264.c
+@@ -1097,6 +1095,8 @@ int ff_h264_decode_extradata(H264Context *h, const uint8_t *buf, int size)
          cnt = *(p+5) & 0x1f; // Number of sps
          p += 6;
-+        size_left -= 6;
          for (i = 0; i < cnt; i++) {
-+            if (size_left < 2) {
-+                av_log(avctx, AV_LOG_ERROR, "Cannot read sps nalsize\n");
++            if(size - (p-buf) < 2)
 +                return -1;
-+            }
              nalsize = AV_RB16(p) + 2;
-+            if (size_left < nalsize) {
-+                av_log(avctx, AV_LOG_ERROR, "sps nalsize too big\n");
-+                return -1;
-+            }
-             if(decode_nal_units(h, p, nalsize) < 0) {
-                 av_log(avctx, AV_LOG_ERROR, "Decoding sps %d from avcC failed\n", i);
+             if(nalsize > size - (p-buf))
                  return -1;
+@@ -1106,9 +1106,13 @@ int ff_h264_decode_extradata(H264Context *h, const uint8_t *buf, int size)
              }
              p += nalsize;
-+            size_left -= nalsize;
          }
-         // Decode pps from avcC
-+        if(!size_left) {
-+            av_log(avctx, AV_LOG_ERROR, "Cannot read pps count\n");
++        if(size - (p-buf) <= 0)
 +            return -1;
-+        }
+         // Decode pps from avcC
          cnt = *(p++); // Number of pps
-+        --size_left;
          for (i = 0; i < cnt; i++) {
-+            if (size_left < 2) {
-+                av_log(avctx, AV_LOG_ERROR, "Cannot read pps nalsize\n");
++            if(size - (p-buf) < 2)
 +                return -1;
-+            }
              nalsize = AV_RB16(p) + 2;
-+            if (size_left < nalsize) {
-+                av_log(avctx, AV_LOG_ERROR, "pps nalsize too big\n");
-+                return -1;
-+            }
-             if (decode_nal_units(h, p, nalsize) < 0) {
-                 av_log(avctx, AV_LOG_ERROR, "Decoding pps %d from avcC failed\n", i);
+             if(nalsize > size - (p-buf))
                  return -1;
-             }
-             p += nalsize;
-+            size_left -= nalsize;
-         }
-         // Now store right nal length size, that will be use to parse all other nals
-         h->nal_length_size = (avctx->extradata[4] & 0x03) + 1;