[FFmpeg-cvslog] avcodec/h264_ps: Fix copying oversized pps&sps data

[Michael Niedermayer]

ffmpeg | branch: master | Michael Niedermayer <michael at niedermayer.cc> | Fri Oct  2 21:02:08 2015 +0200| [85c92789b60416bb89f7938fa236c558603559f6] | committer: Michael Niedermayer

avcodec/h264_ps: Fix copying oversized pps&sps data

Fixes: https://trac.ffmpeg.org/attachment/ticket/685/movie.264

In the available testcase the actual PPS only uses a few bits
while there are 7kbyte of apparently random data after it

Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=85c92789b60416bb89f7938fa236c558603559f6
---

 libavcodec/h264_ps.c |   10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/libavcodec/h264_ps.c b/libavcodec/h264_ps.c
index fd16a95..e37a6d6 100644
--- a/libavcodec/h264_ps.c
+++ b/libavcodec/h264_ps.c
@@ -312,8 +312,10 @@ int ff_h264_decode_seq_parameter_set(H264Context *h, int ignore_truncation)
         return AVERROR(ENOMEM);
 
     sps->data_size = h->gb.buffer_end - h->gb.buffer;
-    if (sps->data_size > sizeof(sps->data))
-        goto fail;
+    if (sps->data_size > sizeof(sps->data)) {
+        av_log(h->avctx, AV_LOG_WARNING, "Truncating likely oversized SPS\n");
+        sps->data_size = sizeof(sps->data);
+    }
     memcpy(sps->data, h->gb.buffer, sps->data_size);
 
     profile_idc           = get_bits(&h->gb, 8);
@@ -611,8 +613,8 @@ int ff_h264_decode_picture_parameter_set(H264Context *h, int bit_length)
         return AVERROR(ENOMEM);
     pps->data_size = h->gb.buffer_end - h->gb.buffer;
     if (pps->data_size > sizeof(pps->data)) {
-        ret = AVERROR_INVALIDDATA;
-        goto fail;
+        av_log(h->avctx, AV_LOG_WARNING, "Truncating likely oversized PPS\n");
+        pps->data_size = sizeof(pps->data);
     }
     memcpy(pps->data, h->gb.buffer, pps->data_size);
     pps->sps_id = get_ue_golomb_31(&h->gb);