diff mbox series

[FFmpeg-devel] avcodec/h264dec: fix possible out-of-bounds array access

Message ID 20210825030601.117793-1-ffmpeg@haasn.xyz
State New
Headers show
Series [FFmpeg-devel] avcodec/h264dec: fix possible out-of-bounds array access | expand

Checks

Context Check Description
andriy/make_x86 success Make finished
andriy/make_fate_x86 success Make fate finished
andriy/make_ppc success Make finished
andriy/make_fate_ppc success Make fate finished

Commit Message

Niklas Haas Aug. 25, 2021, 3:06 a.m. UTC
From: Niklas Haas <git@haasn.dev>

If slice_type is > 9, the access to ff_h264_golomb_to_pict_type is
out-of-bounds. Fix this by simply setting the slice_type to 0 in this
case.

This is completely inconsequential because the value is only being used
to being used as an offset in the calculation of the film grain seed
value, a corruption of which is practically invisible.

Fixes coverity ticket #1490802
---
 libavcodec/h264dec.c | 1 +
 1 file changed, 1 insertion(+)

Comments

James Almer Aug. 25, 2021, 3:09 a.m. UTC | #1
On 8/25/2021 12:06 AM, Niklas Haas wrote:
> From: Niklas Haas <git@haasn.dev>
> 
> If slice_type is > 9, the access to ff_h264_golomb_to_pict_type is
> out-of-bounds. Fix this by simply setting the slice_type to 0 in this
> case.
> 
> This is completely inconsequential because the value is only being used
> to being used as an offset in the calculation of the film grain seed
> value, a corruption of which is practically invisible.
> 
> Fixes coverity ticket #1490802
> ---
>   libavcodec/h264dec.c | 1 +
>   1 file changed, 1 insertion(+)
> 
> diff --git a/libavcodec/h264dec.c b/libavcodec/h264dec.c
> index 5e5b1c1d69..595b6c81fb 100644
> --- a/libavcodec/h264dec.c
> +++ b/libavcodec/h264dec.c
> @@ -536,6 +536,7 @@ static int get_last_needed_nal(H264Context *h)
>               if (slice_type > 9) {
>                   if (h->avctx->err_recognition & AV_EF_EXPLODE)
>                       return AVERROR_INVALIDDATA;

Just don't abort at all. Set slice_type to 0 and let 
ff_h264_queue_decode_slice() handle this.

> +                slice_type = 0;
>               }
>               if (slice_type > 4)
>                   slice_type -= 5;
>
diff mbox series

Patch

diff --git a/libavcodec/h264dec.c b/libavcodec/h264dec.c
index 5e5b1c1d69..595b6c81fb 100644
--- a/libavcodec/h264dec.c
+++ b/libavcodec/h264dec.c
@@ -536,6 +536,7 @@  static int get_last_needed_nal(H264Context *h)
             if (slice_type > 9) {
                 if (h->avctx->err_recognition & AV_EF_EXPLODE)
                     return AVERROR_INVALIDDATA;
+                slice_type = 0;
             }
             if (slice_type > 4)
                 slice_type -= 5;