avcodec/h264dec: fix possible out-of-bounds array access

If slice_type is > 9, the access to ff_h264_golomb_to_pict_type is out-of-bounds. Fix this by simply setting the slice_type to 0 in this case. This is completely inconsequential because the value is only being used to being used as an offset in the calculation of the film grain seed value, a corruption of which is practically invisible. Fixes coverity ticket #1490802 Signed-off-by: James Almer <jamrial@gmail.com>
2025-01-24 13:56:33 +02:00 · 2021-08-25 05:06:01 +02:00 · 2021-08-25 05:06:01 +02:00 · 94653e0dee
commit 94653e0dee
parent b492cacffd
1 changed files with 2 additions and 4 deletions
--- a/libavcodec/h264dec.c
+++ b/libavcodec/h264dec.c
@ -533,10 +533,8 @@ static int get_last_needed_nal(H264Context *h)
                first_slice != nal->type)
                nals_needed = i;
            slice_type = get_ue_golomb_31(&gb);
-            if (slice_type > 9) {
-                if (h->avctx->err_recognition & AV_EF_EXPLODE)
-                    return AVERROR_INVALIDDATA;
-            }
+            if (slice_type > 9)
+                slice_type = 0;
            if (slice_type > 4)
                slice_type -= 5;