mirror of
https://github.com/FFmpeg/FFmpeg.git
synced 2025-01-13 21:28:01 +02:00
h264: prevent theoretical infinite loop in SEI parsing
Properly address CVE-2011-3946 and parse bitstream as described in the spec. CC: libav-stable@libav.org Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
This commit is contained in:
parent
b2e059a1ff
commit
7ab551f9fd
@ -222,14 +222,20 @@ int ff_h264_decode_sei(H264Context *h)
|
|||||||
int size = 0;
|
int size = 0;
|
||||||
int type = 0;
|
int type = 0;
|
||||||
int ret = 0;
|
int ret = 0;
|
||||||
|
int last = 0;
|
||||||
|
|
||||||
do
|
while (get_bits_left(&h->gb) >= 8 &&
|
||||||
type += show_bits(&h->gb, 8);
|
(last = get_bits(&h->gb, 8)) == 255) {
|
||||||
while (get_bits(&h->gb, 8) == 255);
|
type += 255;
|
||||||
|
}
|
||||||
|
type += last;
|
||||||
|
|
||||||
do
|
last = 0;
|
||||||
size += show_bits(&h->gb, 8);
|
while (get_bits_left(&h->gb) >= 8 &&
|
||||||
while (get_bits(&h->gb, 8) == 255);
|
(last = get_bits(&h->gb, 8)) == 255) {
|
||||||
|
size += 255;
|
||||||
|
}
|
||||||
|
size += last;
|
||||||
|
|
||||||
if (size > get_bits_left(&h->gb) / 8) {
|
if (size > get_bits_left(&h->gb) / 8) {
|
||||||
av_log(h->avctx, AV_LOG_ERROR, "SEI type %d truncated at %d\n",
|
av_log(h->avctx, AV_LOG_ERROR, "SEI type %d truncated at %d\n",
|
||||||
|
Loading…
Reference in New Issue
Block a user