Avoid SPS and PPS id array out of bounds in h264 parser

author Andreas Öman <andreas@lonelycoder.com>

Wed, 18 May 2011 09:43:18 +0000 (11:43 +0200)

committer Andreas Öman <andreas@lonelycoder.com>

Wed, 18 May 2011 09:43:24 +0000 (11:43 +0200)
author Andreas Öman <andreas@lonelycoder.com>
Wed, 18 May 2011 09:43:18 +0000 (11:43 +0200)
committer Andreas Öman <andreas@lonelycoder.com>
Wed, 18 May 2011 09:43:24 +0000 (11:43 +0200)
diff --git a/src/parser_h264.c b/src/parser_h264.c

index c77fc2d1efe1f2e9fc4e1fc3d325f8bcf9aea29d..07bed03b44cc298d9ad12b436d098f5741dea2bf 100644 (file)
--- a/src/parser_h264.c
+++ b/src/parser_h264.c
@@ -239,6 +239,8 @@ h264_decode_seq_parameter_set(elementary_stream_t *st, bitstream_t *bs)
    level_idc= read_bits(bs, 8);
    sps_id= read_golomb_ue(bs);
  
+  if(sps_id > 255)
+    return -1;
  
    i = 0;
    while(h264_lev2cpbsize[i][0] != -1) {
@@ -337,7 +339,12 @@ h264_decode_pic_parameter_set(elementary_stream_t *st, bitstream_t *bs)
      p = st->es_priv = calloc(1, sizeof(h264_private_t));
    
    pps_id = read_golomb_ue(bs);
+  if(pps_id > 255)
+    return 0;
    sps_id = read_golomb_ue(bs);
+  if(sps_id > 255)
+    return -1;
+
    p->pps[pps_id].sps = sps_id;
    return 0;
  }
@@ -374,6 +381,9 @@ h264_decode_slice_header(elementary_stream_t *st, bitstream_t *bs, int *pkttype,
    }
  
    pps_id = read_golomb_ue(bs);
+  if(pps_id > 255)
+    return -1;
+
    sps_id = p->pps[pps_id].sps;
    if(p->sps[sps_id].max_frame_num_bits == 0)
      return -1;
author	Andreas Öman <andreas@lonelycoder.com>
	Wed, 18 May 2011 09:43:18 +0000 (11:43 +0200)
committer	Andreas Öman <andreas@lonelycoder.com>
	Wed, 18 May 2011 09:43:24 +0000 (11:43 +0200)