1
0
mirror of https://github.com/FFmpeg/FFmpeg.git synced 2025-01-13 21:28:01 +02:00

h264: additional protection against unsupported size/bitdepth changes.

Fixes crashes in codepaths not covered by original checks.

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
This commit is contained in:
Ronald S. Bultje 2012-03-29 16:37:09 -07:00
parent ac80b812cd
commit 732f9fcfe5
2 changed files with 5 additions and 2 deletions

View File

@ -2971,10 +2971,10 @@ static int decode_slice_header(H264Context *h, H264Context *h0)
if (s->context_initialized && if (s->context_initialized &&
(s->width != s->avctx->width || s->height != s->avctx->height || (s->width != s->avctx->width || s->height != s->avctx->height ||
av_cmp_q(h->sps.sar, s->avctx->sample_aspect_ratio))) { av_cmp_q(h->sps.sar, s->avctx->sample_aspect_ratio))) {
if (h != h0) { if (h != h0 || (HAVE_THREADS && h->s.avctx->active_thread_type & FF_THREAD_FRAME)) {
av_log_missing_feature(s->avctx, av_log_missing_feature(s->avctx,
"Width/height changing with threads is", 0); "Width/height changing with threads is", 0);
return -1; // width / height changed during parallelized decoding return AVERROR_PATCHWELCOME; // width / height changed during parallelized decoding
} }
free_tables(h, 0); free_tables(h, 0);
flush_dpb(s->avctx); flush_dpb(s->avctx);

View File

@ -475,6 +475,9 @@ int ff_h264_decode_picture_parameter_set(H264Context *h, int bit_length){
if(pps_id >= MAX_PPS_COUNT) { if(pps_id >= MAX_PPS_COUNT) {
av_log(h->s.avctx, AV_LOG_ERROR, "pps_id (%d) out of range\n", pps_id); av_log(h->s.avctx, AV_LOG_ERROR, "pps_id (%d) out of range\n", pps_id);
return -1; return -1;
} else if (h->sps.bit_depth_luma > 10) {
av_log(h->s.avctx, AV_LOG_ERROR, "Unimplemented luma bit depth=%d (max=10)\n", h->sps.bit_depth_luma);
return AVERROR_PATCHWELCOME;
} }
pps= av_mallocz(sizeof(PPS)); pps= av_mallocz(sizeof(PPS));