1 files changed, 47 insertions, 28 deletions

diff --git a/libavcodec/h264_parse.c b/libavcodec/h264_parse.c
index 0aa6f09b72..da67149aa1 100644
--- a/libavcodec/h264_parse.c
+++ b/libavcodec/h264_parse.c
@@ -1,18 +1,18 @@
 /*
- * This file is part of Libav.
+ * This file is part of FFmpeg.
  *
- * Libav is free software; you can redistribute it and/or
+ * FFmpeg is free software; you can redistribute it and/or
  * modify it under the terms of the GNU Lesser General Public
  * License as published by the Free Software Foundation; either
  * version 2.1 of the License, or (at your option) any later version.
  *
- * Libav is distributed in the hope that it will be useful,
+ * FFmpeg is distributed in the hope that it will be useful,
  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
  * Lesser General Public License for more details.
  *
  * You should have received a copy of the GNU Lesser General Public
- * License along with Libav; if not, write to the Free Software
+ * License along with FFmpeg; if not, write to the Free Software
  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
  */
 
@@ -26,7 +26,7 @@
 
 int ff_h264_pred_weight_table(GetBitContext *gb, const SPS *sps,
                               const int *ref_count, int slice_type_nos,
-                              H264PredWeightTable *pwt)
+                              H264PredWeightTable *pwt, void *logctx)
 {
     int list, i, j;
     int luma_def, chroma_def;
@@ -36,6 +36,16 @@ int ff_h264_pred_weight_table(GetBitContext *gb, const SPS *sps,
     pwt->luma_log2_weight_denom = get_ue_golomb(gb);
     if (sps->chroma_format_idc)
         pwt->chroma_log2_weight_denom = get_ue_golomb(gb);
+
+    if (pwt->luma_log2_weight_denom > 7U) {
+        av_log(logctx, AV_LOG_ERROR, "luma_log2_weight_denom %d is out of range\n", pwt->luma_log2_weight_denom);
+        pwt->luma_log2_weight_denom = 0;
+    }
+    if (pwt->chroma_log2_weight_denom > 7U) {
+        av_log(logctx, AV_LOG_ERROR, "chroma_log2_weight_denom %d is out of range\n", pwt->chroma_log2_weight_denom);
+        pwt->chroma_log2_weight_denom = 0;
+    }
+
     luma_def   = 1 << pwt->luma_log2_weight_denom;
     chroma_def = 1 << pwt->chroma_log2_weight_denom;
 
@@ -116,7 +126,7 @@ int ff_h264_check_intra4x4_pred_mode(int8_t *pred_mode_cache, void *logctx,
             int status = top[pred_mode_cache[scan8[0] + i]];
             if (status < 0) {
                 av_log(logctx, AV_LOG_ERROR,
-                       "top block unavailable for requested intra4x4 mode %d\n",
+                       "top block unavailable for requested intra mode %d\n",
                        status);
                 return AVERROR_INVALIDDATA;
             } else if (status) {
@@ -172,17 +182,17 @@ int ff_h264_check_intra_pred_mode(void *logctx, int top_samples_available,
 
     if ((left_samples_available & 0x8080) != 0x8080) {
         mode = left[mode];
+        if (mode < 0) {
+            av_log(logctx, AV_LOG_ERROR,
+                   "left block unavailable for requested intra mode\n");
+            return AVERROR_INVALIDDATA;
+        }
         if (is_chroma && (left_samples_available & 0x8080)) {
             // mad cow disease mode, aka MBAFF + constrained_intra_pred
             mode = ALZHEIMER_DC_L0T_PRED8x8 +
                    (!(left_samples_available & 0x8000)) +
                    2 * (mode == DC_128_PRED8x8);
         }
-        if (mode < 0) {
-            av_log(logctx, AV_LOG_ERROR,
-                   "left block unavailable for requested intra mode\n");
-            return AVERROR_INVALIDDATA;
-        }
     }
 
     return mode;
@@ -190,27 +200,36 @@ int ff_h264_check_intra_pred_mode(void *logctx, int top_samples_available,
 
 int ff_h264_parse_ref_count(int *plist_count, int ref_count[2],
                             GetBitContext *gb, const PPS *pps,
-                            int slice_type_nos, int picture_structure)
+                            int slice_type_nos, int picture_structure, void *logctx)
 {
     int list_count;
-    int num_ref_idx_active_override_flag, max_refs;
+    int num_ref_idx_active_override_flag;
 
     // set defaults, might be overridden a few lines later
     ref_count[0] = pps->ref_count[0];
     ref_count[1] = pps->ref_count[1];
 
     if (slice_type_nos != AV_PICTURE_TYPE_I) {
+        unsigned max[2];
+        max[0] = max[1] = picture_structure == PICT_FRAME ? 15 : 31;
+
         num_ref_idx_active_override_flag = get_bits1(gb);
 
         if (num_ref_idx_active_override_flag) {
             ref_count[0] = get_ue_golomb(gb) + 1;
-            if (ref_count[0] < 1)
-                goto fail;
             if (slice_type_nos == AV_PICTURE_TYPE_B) {
                 ref_count[1] = get_ue_golomb(gb) + 1;
-                if (ref_count[1] < 1)
-                    goto fail;
-            }
+            } else
+                // full range is spec-ok in this case, even for frames
+                ref_count[1] = 1;
+        }
+
+        if (ref_count[0] - 1 > max[0] || ref_count[1] - 1 > max[1]) {
+            av_log(logctx, AV_LOG_ERROR, "reference overflow %u > %u or %u > %u\n",
+                   ref_count[0] - 1, max[0], ref_count[1] - 1, max[1]);
+            ref_count[0] = ref_count[1] = 0;
+            *plist_count = 0;
+            goto fail;
         }
 
         if (slice_type_nos == AV_PICTURE_TYPE_B)
@@ -222,11 +241,6 @@ int ff_h264_parse_ref_count(int *plist_count, int ref_count[2],
         ref_count[0] = ref_count[1] = 0;
     }
 
-    max_refs = picture_structure == PICT_FRAME ? 16 : 32;
-
-    if (ref_count[0] > max_refs || ref_count[1] > max_refs)
-        goto fail;
-
     *plist_count = list_count;
 
     return 0;
@@ -324,14 +338,16 @@ static int decode_extradata_ps(const uint8_t *data, int size, H264ParamSets *ps,
     int i, ret = 0;
 
     ret = ff_h2645_packet_split(&pkt, data, size, logctx, is_avc, 2, AV_CODEC_ID_H264);
-    if (ret < 0)
+    if (ret < 0) {
+        ret = 0;
         goto fail;
+    }
 
     for (i = 0; i < pkt.nb_nals; i++) {
         H2645NAL *nal = &pkt.nals[i];
         switch (nal->type) {
         case NAL_SPS:
-            ret = ff_h264_decode_seq_parameter_set(&nal->gb, logctx, ps);
+            ret = ff_h264_decode_seq_parameter_set(&nal->gb, logctx, ps, 0);
             if (ret < 0)
                 goto fail;
             break;
@@ -409,6 +425,9 @@ int ff_h264_decode_extradata(const uint8_t *data, int size, H264ParamSets *ps,
 {
     int ret;
 
+    if (!data || size <= 0)
+        return -1;
+
     if (data[0] == 1) {
         int i, cnt, nalsize;
         const uint8_t *p = data;
@@ -425,7 +444,7 @@ int ff_h264_decode_extradata(const uint8_t *data, int size, H264ParamSets *ps,
         p  += 6;
         for (i = 0; i < cnt; i++) {
             nalsize = AV_RB16(p) + 2;
-            if (p - data + nalsize > size)
+            if (nalsize > size - (p - data))
                 return AVERROR_INVALIDDATA;
             ret = decode_extradata_ps_mp4(p, nalsize, ps, err_recognition, logctx);
             if (ret < 0) {
@@ -439,7 +458,7 @@ int ff_h264_decode_extradata(const uint8_t *data, int size, H264ParamSets *ps,
         cnt = *(p++); // Number of pps
         for (i = 0; i < cnt; i++) {
             nalsize = AV_RB16(p) + 2;
-            if (p - data + nalsize > size)
+            if (nalsize > size - (p - data))
                 return AVERROR_INVALIDDATA;
             ret = decode_extradata_ps_mp4(p, nalsize, ps, err_recognition, logctx);
             if (ret < 0) {
@@ -457,7 +476,7 @@ int ff_h264_decode_extradata(const uint8_t *data, int size, H264ParamSets *ps,
         if (ret < 0)
             return ret;
     }
-    return 0;
+    return size;
 }
 
 /**