diff options
Diffstat (limited to 'libavcodec/h264_parse.c')
-rw-r--r-- | libavcodec/h264_parse.c | 58 |
1 files changed, 36 insertions, 22 deletions
diff --git a/libavcodec/h264_parse.c b/libavcodec/h264_parse.c index 4ab0fde5f7..d99d4ae5d8 100644 --- a/libavcodec/h264_parse.c +++ b/libavcodec/h264_parse.c @@ -1,18 +1,18 @@ /* - * This file is part of Libav. + * This file is part of FFmpeg. * - * Libav is free software; you can redistribute it and/or + * FFmpeg is free software; you can redistribute it and/or * modify it under the terms of the GNU Lesser General Public * License as published by the Free Software Foundation; either * version 2.1 of the License, or (at your option) any later version. * - * Libav is distributed in the hope that it will be useful, + * FFmpeg is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * Lesser General Public License for more details. * * You should have received a copy of the GNU Lesser General Public - * License along with Libav; if not, write to the Free Software + * License along with FFmpeg; if not, write to the Free Software * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA */ @@ -33,6 +33,16 @@ int ff_h264_pred_weight_table(GetBitContext *gb, const SPS *sps, pwt->luma_log2_weight_denom = get_ue_golomb(gb); if (sps->chroma_format_idc) pwt->chroma_log2_weight_denom = get_ue_golomb(gb); + + if (pwt->luma_log2_weight_denom > 7U) { + av_log(NULL, AV_LOG_ERROR, "luma_log2_weight_denom %d is out of range\n", pwt->luma_log2_weight_denom); + pwt->luma_log2_weight_denom = 0; + } + if (pwt->chroma_log2_weight_denom > 7U) { + av_log(NULL, AV_LOG_ERROR, "chroma_log2_weight_denom %d is out of range\n", pwt->chroma_log2_weight_denom); + pwt->chroma_log2_weight_denom = 0; + } + luma_def = 1 << pwt->luma_log2_weight_denom; chroma_def = 1 << pwt->chroma_log2_weight_denom; @@ -105,7 +115,7 @@ int ff_h264_check_intra4x4_pred_mode(int8_t *pred_mode_cache, void *logctx, int status = top[pred_mode_cache[scan8[0] + i]]; if (status < 0) { av_log(logctx, AV_LOG_ERROR, - "top block unavailable for requested intra4x4 mode %d\n", + "top block unavailable for requested intra mode %d\n", status); return AVERROR_INVALIDDATA; } else if (status) { @@ -161,17 +171,17 @@ int ff_h264_check_intra_pred_mode(void *logctx, int top_samples_available, if ((left_samples_available & 0x8080) != 0x8080) { mode = left[mode]; + if (mode < 0) { + av_log(logctx, AV_LOG_ERROR, + "left block unavailable for requested intra mode\n"); + return AVERROR_INVALIDDATA; + } if (is_chroma && (left_samples_available & 0x8080)) { // mad cow disease mode, aka MBAFF + constrained_intra_pred mode = ALZHEIMER_DC_L0T_PRED8x8 + (!(left_samples_available & 0x8000)) + 2 * (mode == DC_128_PRED8x8); } - if (mode < 0) { - av_log(logctx, AV_LOG_ERROR, - "left block unavailable for requested intra mode\n"); - return AVERROR_INVALIDDATA; - } } return mode; @@ -179,27 +189,36 @@ int ff_h264_check_intra_pred_mode(void *logctx, int top_samples_available, int ff_h264_parse_ref_count(int *plist_count, int ref_count[2], GetBitContext *gb, const PPS *pps, - int slice_type_nos, int picture_structure) + int slice_type_nos, int picture_structure, void *logctx) { int list_count; - int num_ref_idx_active_override_flag, max_refs; + int num_ref_idx_active_override_flag; // set defaults, might be overridden a few lines later ref_count[0] = pps->ref_count[0]; ref_count[1] = pps->ref_count[1]; if (slice_type_nos != AV_PICTURE_TYPE_I) { + unsigned max[2]; + max[0] = max[1] = picture_structure == PICT_FRAME ? 15 : 31; + num_ref_idx_active_override_flag = get_bits1(gb); if (num_ref_idx_active_override_flag) { ref_count[0] = get_ue_golomb(gb) + 1; - if (ref_count[0] < 1) - goto fail; if (slice_type_nos == AV_PICTURE_TYPE_B) { ref_count[1] = get_ue_golomb(gb) + 1; - if (ref_count[1] < 1) - goto fail; - } + } else + // full range is spec-ok in this case, even for frames + ref_count[1] = 1; + } + + if (ref_count[0] - 1 > max[0] || ref_count[1] - 1 > max[1]) { + av_log(logctx, AV_LOG_ERROR, "reference overflow %u > %u or %u > %u\n", + ref_count[0] - 1, max[0], ref_count[1] - 1, max[1]); + ref_count[0] = ref_count[1] = 0; + *plist_count = 0; + goto fail; } if (slice_type_nos == AV_PICTURE_TYPE_B) @@ -211,11 +230,6 @@ int ff_h264_parse_ref_count(int *plist_count, int ref_count[2], ref_count[0] = ref_count[1] = 0; } - max_refs = picture_structure == PICT_FRAME ? 16 : 32; - - if (ref_count[0] > max_refs || ref_count[1] > max_refs) - goto fail; - *plist_count = list_count; return 0; |