summaryrefslogtreecommitdiff
path: root/libavcodec/h264_mp4toannexb_bsf.c
diff options
context:
space:
mode:
authorThomas Devanneaux <thomdev@gmail.com>2010-05-10 07:08:57 +0000
committerBenoit Fouet <benoit.fouet@free.fr>2010-05-10 07:08:57 +0000
commit52486603b5b8e2827627afbc8a2028fb74554920 (patch)
tree99a4fca4452481ce349cd0ddd58d62507fc20173 /libavcodec/h264_mp4toannexb_bsf.c
parent8ad802e610771e1e63d6f105739b78b4aa6980d8 (diff)
downloadffmpeg-52486603b5b8e2827627afbc8a2028fb74554920.tar.gz
Check NAL unit size to avoid reading past the buffer.
This fixes issue1907 Patch by Thomas Devanneaux gmail(thomdev) Originally committed as revision 23078 to svn://svn.ffmpeg.org/ffmpeg/trunk
Diffstat (limited to 'libavcodec/h264_mp4toannexb_bsf.c')
-rw-r--r--libavcodec/h264_mp4toannexb_bsf.c15
1 files changed, 14 insertions, 1 deletions
diff --git a/libavcodec/h264_mp4toannexb_bsf.c b/libavcodec/h264_mp4toannexb_bsf.c
index 936418a8a0..0c92b36f65 100644
--- a/libavcodec/h264_mp4toannexb_bsf.c
+++ b/libavcodec/h264_mp4toannexb_bsf.c
@@ -55,7 +55,9 @@ static int h264_mp4toannexb_filter(AVBitStreamFilterContext *bsfc,
int keyframe) {
H264BSFContext *ctx = bsfc->priv_data;
uint8_t unit_type;
- uint32_t nal_size, cumul_size = 0;
+ int32_t nal_size;
+ uint32_t cumul_size = 0;
+ const uint8_t *buf_end = buf + buf_size;
/* nothing to filter */
if (!avctx->extradata || avctx->extradata_size < 6) {
@@ -109,6 +111,9 @@ static int h264_mp4toannexb_filter(AVBitStreamFilterContext *bsfc,
*poutbuf_size = 0;
*poutbuf = NULL;
do {
+ if (buf + ctx->length_size > buf_end)
+ goto fail;
+
if (ctx->length_size == 1)
nal_size = buf[0];
else if (ctx->length_size == 2)
@@ -119,6 +124,9 @@ static int h264_mp4toannexb_filter(AVBitStreamFilterContext *bsfc,
buf += ctx->length_size;
unit_type = *buf & 0x1f;
+ if (buf + nal_size > buf_end || nal_size < 0)
+ goto fail;
+
/* prepend only to the first type 5 NAL unit of an IDR picture */
if (ctx->first_idr && unit_type == 5) {
alloc_and_copy(poutbuf, poutbuf_size,
@@ -139,6 +147,11 @@ static int h264_mp4toannexb_filter(AVBitStreamFilterContext *bsfc,
} while (cumul_size < buf_size);
return 1;
+
+fail:
+ av_freep(poutbuf);
+ *poutbuf_size = 0;
+ return AVERROR(EINVAL);
}
static void h264_mp4toannexb_close(AVBitStreamFilterContext *bsfc)