From f7f88018393b96ae410041e9a0fc51f4c082002e Mon Sep 17 00:00:00 2001
From: Yusuke Nakamura <muken.the.vfrmaniac@gmail.com>
Date: Mon, 21 Oct 2013 02:36:51 +0900
Subject: [PATCH] hevc: Search start code in decode_nal_units().

User may cut off a weird position and send a packet from there.
This avoids returning as invalid data immediately.
---
 libavcodec/hevc.c | 17 +++++++++--------
 1 file changed, 9 insertions(+), 8 deletions(-)

diff --git a/libavcodec/hevc.c b/libavcodec/hevc.c
index a395bc9087..9a8886735e 100644
--- a/libavcodec/hevc.c
+++ b/libavcodec/hevc.c
@@ -2325,14 +2325,15 @@ static int decode_nal_units(HEVCContext *s, const uint8_t *buf, int length)
                 goto fail;
             }
         } else {
-            if (buf[2] == 0) {
-                length--;
-                buf++;
-                continue;
-            }
-            if (buf[0] != 0 || buf[1] != 0 || buf[2] != 1) {
-                ret = AVERROR_INVALIDDATA;
-                goto fail;
+            /* search start code */
+            while (buf[0] != 0 || buf[1] != 0 || buf[2] != 1) {
+                ++buf;
+                --length;
+                if (length < 4) {
+                    av_log(s->avctx, AV_LOG_ERROR, "No start code is found.\n");
+                    ret = AVERROR_INVALIDDATA;
+                    goto fail;
+                }
             }
 
             buf    += 3;