[FFmpeg-cvslog] avcodec/h264dec: fix possible out-of-bounds array access

[Niklas Haas]

ffmpeg | branch: master | Niklas Haas <git at haasn.dev> | Wed Aug 25 05:06:01 2021 +0200| [94653e0dee8d2efa85087e28249249cb3fde3d71] | committer: James Almer

avcodec/h264dec: fix possible out-of-bounds array access

If slice_type is > 9, the access to ff_h264_golomb_to_pict_type is
out-of-bounds. Fix this by simply setting the slice_type to 0 in this
case.

This is completely inconsequential because the value is only being used
to being used as an offset in the calculation of the film grain seed
value, a corruption of which is practically invisible.

Fixes coverity ticket #1490802

Signed-off-by: James Almer <jamrial at gmail.com>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=94653e0dee8d2efa85087e28249249cb3fde3d71
---

 libavcodec/h264dec.c | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/libavcodec/h264dec.c b/libavcodec/h264dec.c
index 5e5b1c1d69..c7e8b2827b 100644
--- a/libavcodec/h264dec.c
+++ b/libavcodec/h264dec.c
@@ -533,10 +533,8 @@ static int get_last_needed_nal(H264Context *h)
                 first_slice != nal->type)
                 nals_needed = i;
             slice_type = get_ue_golomb_31(&gb);
-            if (slice_type > 9) {
-                if (h->avctx->err_recognition & AV_EF_EXPLODE)
-                    return AVERROR_INVALIDDATA;
-            }
+            if (slice_type > 9)
+                slice_type = 0;
             if (slice_type > 4)
                 slice_type -= 5;