[FFmpeg-devel] [PATCH] avcodec/h264dec: fix possible out-of-bounds array access
James Almer
jamrial at gmail.com
Wed Aug 25 06:09:02 EEST 2021
On 8/25/2021 12:06 AM, Niklas Haas wrote:
> From: Niklas Haas <git at haasn.dev>
>
> If slice_type is > 9, the access to ff_h264_golomb_to_pict_type is
> out-of-bounds. Fix this by simply setting the slice_type to 0 in this
> case.
>
> This is completely inconsequential because the value is only being used
> to being used as an offset in the calculation of the film grain seed
> value, a corruption of which is practically invisible.
>
> Fixes coverity ticket #1490802
> ---
> libavcodec/h264dec.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/libavcodec/h264dec.c b/libavcodec/h264dec.c
> index 5e5b1c1d69..595b6c81fb 100644
> --- a/libavcodec/h264dec.c
> +++ b/libavcodec/h264dec.c
> @@ -536,6 +536,7 @@ static int get_last_needed_nal(H264Context *h)
> if (slice_type > 9) {
> if (h->avctx->err_recognition & AV_EF_EXPLODE)
> return AVERROR_INVALIDDATA;
Just don't abort at all. Set slice_type to 0 and let
ff_h264_queue_decode_slice() handle this.
> + slice_type = 0;
> }
> if (slice_type > 4)
> slice_type -= 5;
>
More information about the ffmpeg-devel
mailing list