From 76f7e70aa04fc5dbef5242b11cbf8fe4499f61d4 Mon Sep 17 00:00:00 2001
From: Anton Khirnov <anton@khirnov.net>
Date: Wed, 20 Jul 2016 08:31:38 +0200
Subject: h264dec: handle zero-sized NAL units in get_last_needed_nal()

The current code will ignore the init_get_bits() failure and do an
invalid read from the uninitialized GetBitContext.

Found-By: Jan Ruge <jan.s.ruge@gmail.com>
Bug-Id: 952
---
 libavcodec/h264dec.c | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

(limited to 'libavcodec/h264dec.c')

diff --git a/libavcodec/h264dec.c b/libavcodec/h264dec.c
index faa502ed09..4d1702e114 100644
--- a/libavcodec/h264dec.c
+++ b/libavcodec/h264dec.c
@@ -478,7 +478,7 @@ static void flush_dpb(AVCodecContext *avctx)
 static int get_last_needed_nal(H264Context *h)
 {
     int nals_needed = 0;
-    int i;
+    int i, ret;
 
     for (i = 0; i < h->pkt.nb_nals; i++) {
         H2645NAL *nal = &h->pkt.nals[i];
@@ -496,7 +496,14 @@ static int get_last_needed_nal(H264Context *h)
         case H264_NAL_DPA:
         case H264_NAL_IDR_SLICE:
         case H264_NAL_SLICE:
-            init_get_bits(&gb, nal->data + 1, (nal->size - 1) * 8);
+            ret = init_get_bits8(&gb, nal->data + 1, nal->size - 1);
+            if (ret < 0) {
+                av_log(h->avctx, AV_LOG_ERROR, "Invalid zero-sized VCL NAL unit\n");
+                if (h->avctx->err_recognition & AV_EF_EXPLODE)
+                    return ret;
+
+                break;
+            }
             if (!get_ue_golomb(&gb))
                 nals_needed = i;
         }
-- 
cgit v1.2.3