Check level_prefix a bit (this just checks the max our bitreader can handle,

as i did nt find a limit in the spec) This should stop cavlc_decode_residual() on a zero bitstream Originally committed as revision 22429 to svn://svn.ffmpeg.org/ffmpeg/trunk
author: Michael Niedermayer <michaelni@gmx.at> 2010-03-10 09:55:03 +0000
committer: Michael Niedermayer <michaelni@gmx.at> 2010-03-10 09:55:03 +0000
commit: 9885284c2259847b0d2b34b5574e3276607e37e4 (patch)
tree: 1cec243e66d6e9df26bf1108a1c5b95da12eb468
parent: 83c2bc7abba62e1de16584b5adb82f77f2e9604e (diff)
download: ffmpeg-9885284c2259847b0d2b34b5574e3276607e37e4.tar.gz
1 files changed, 6 insertions, 1 deletions
diff --git a/libavcodec/h264_cavlc.c b/libavcodec/h264_cavlc.c
index ef92218b4f..7da645dcd3 100644
--- a/libavcodec/h264_cavlc.c
+++ b/libavcodec/h264_cavlc.c
@@ -431,8 +431,13 @@ static int decode_residual(H264Context *h, GetBitContext *gb, DCTELEM *block, in
                     level_code= prefix + get_bits(gb, 4); //part
             }else{
                 level_code= 30 + get_bits(gb, prefix-3); //part
-                if(prefix>=16)
+                if(prefix>=16){
+                    if(prefix > 25+3){
+                        av_log(h->s.avctx, AV_LOG_ERROR, "Invalid level prefix\n");
+                        return -1;
+                    }
                     level_code += (1<<(prefix-3))-4096;
+                }
             }
 
             if(trailing_ones < 3) level_code += 2;
author	Michael Niedermayer <michaelni@gmx.at>	2010-03-10 09:55:03 +0000
committer	Michael Niedermayer <michaelni@gmx.at>	2010-03-10 09:55:03 +0000
commit	9885284c2259847b0d2b34b5574e3276607e37e4 (patch)
tree	1cec243e66d6e9df26bf1108a1c5b95da12eb468
parent	83c2bc7abba62e1de16584b5adb82f77f2e9604e (diff)
download	ffmpeg-9885284c2259847b0d2b34b5574e3276607e37e4.tar.gz