[vlc-commits] packetizer: h264: fix invalid deref (fix #17585)
Francois Cartegnie
git at videolan.org
Tue Nov 1 10:27:04 CET 2016
vlc | branch: master | Francois Cartegnie <fcvlcdev at free.fr> | Tue Nov 1 01:24:48 2016 +0100| [f63ee9ba4847230826d4866eb6fe5b2461ddc6e1] | committer: Francois Cartegnie
packetizer: h264: fix invalid deref (fix #17585)
> http://git.videolan.org/gitweb.cgi/vlc.git/?a=commit;h=f63ee9ba4847230826d4866eb6fe5b2461ddc6e1
---
modules/codec/omxil/mediacodec.c | 2 +-
modules/packetizer/h264.c | 16 ++++++++--------
modules/packetizer/h264_nal.c | 13 ++++++++-----
modules/packetizer/h264_nal.h | 10 +++++-----
4 files changed, 22 insertions(+), 19 deletions(-)
diff --git a/modules/codec/omxil/mediacodec.c b/modules/codec/omxil/mediacodec.c
index 14991ec..cbe4473 100644
--- a/modules/codec/omxil/mediacodec.c
+++ b/modules/codec/omxil/mediacodec.c
@@ -313,7 +313,7 @@ static int H264SetCSD(decoder_t *p_dec, void *p_buf, size_t i_size,
/* Compare the SPS PPS with the old one */
if (!CSDCmp(p_dec, csd, i_csd_count))
{
- msg_Warn(p_dec, "New SPS/PPS found, id: %d size: %ux%u sps: %d pps: %d",
+ msg_Warn(p_dec, "New SPS/PPS found, id: %" PRIu8 " size: %ux%u sps: %d pps: %d",
p_sps->i_id, vsize[0], vsize[1],
i_sps_size, i_pps_size);
diff --git a/modules/packetizer/h264.c b/modules/packetizer/h264.c
index fc72726..765c3fa 100644
--- a/modules/packetizer/h264.c
+++ b/modules/packetizer/h264.c
@@ -101,8 +101,8 @@ struct decoder_sys_t
bool b_header;
bool b_sps;
bool b_pps;
- block_t *pp_sps[H264_SPS_MAX];
- block_t *pp_pps[H264_PPS_MAX];
+ block_t *pp_sps[H264_SPS_ID_MAX + 1];
+ block_t *pp_pps[H264_PPS_ID_MAX + 1];
int i_recovery_frames; /* -1 = no recovery */
/* avcC data */
@@ -211,9 +211,9 @@ static int Open( vlc_object_t *p_this )
p_sys->b_header= false;
p_sys->b_sps = false;
p_sys->b_pps = false;
- for( i = 0; i < H264_SPS_MAX; i++ )
+ for( i = 0; i <= H264_SPS_ID_MAX; i++ )
p_sys->pp_sps[i] = NULL;
- for( i = 0; i < H264_PPS_MAX; i++ )
+ for( i = 0; i <= H264_PPS_ID_MAX; i++ )
p_sys->pp_pps[i] = NULL;
p_sys->i_recovery_frames = -1;
@@ -328,12 +328,12 @@ static void Close( vlc_object_t *p_this )
if( p_sys->p_frame )
block_ChainRelease( p_sys->p_frame );
- for( i = 0; i < H264_SPS_MAX; i++ )
+ for( i = 0; i < H264_SPS_ID_MAX; i++ )
{
if( p_sys->pp_sps[i] )
block_Release( p_sys->pp_sps[i] );
}
- for( i = 0; i < H264_PPS_MAX; i++ )
+ for( i = 0; i < H264_PPS_ID_MAX; i++ )
{
if( p_sys->pp_pps[i] )
block_Release( p_sys->pp_pps[i] );
@@ -578,12 +578,12 @@ static block_t *OutputPicture( decoder_t *p_dec )
block_t *p_list = NULL;
block_t **pp_list_tail = &p_list;
- for( int i = 0; i < H264_SPS_MAX && (b_sps_pps_i || p_sys->b_frame_sps); i++ )
+ for( int i = 0; i <= H264_SPS_ID_MAX && (b_sps_pps_i || p_sys->b_frame_sps); i++ )
{
if( p_sys->pp_sps[i] )
block_ChainLastAppend( &pp_list_tail, block_Duplicate( p_sys->pp_sps[i] ) );
}
- for( int i = 0; i < H264_PPS_MAX && (b_sps_pps_i || p_sys->b_frame_pps); i++ )
+ for( int i = 0; i < H264_PPS_ID_MAX && (b_sps_pps_i || p_sys->b_frame_pps); i++ )
{
if( p_sys->pp_pps[i] )
block_ChainLastAppend( &pp_list_tail, block_Duplicate( p_sys->pp_pps[i] ) );
diff --git a/modules/packetizer/h264_nal.c b/modules/packetizer/h264_nal.c
index 606eba6..ec6230f 100644
--- a/modules/packetizer/h264_nal.c
+++ b/modules/packetizer/h264_nal.c
@@ -215,9 +215,10 @@ static bool h264_parse_sequence_parameter_set_rbsp( bs_t *p_bs,
p_sps->i_constraint_set_flags = bs_read( p_bs, 8 );
p_sps->i_level = bs_read( p_bs, 8 );
/* sps id */
- p_sps->i_id = bs_read_ue( p_bs );
- if( p_sps->i_id >= H264_SPS_MAX )
+ uint32_t i_sps_id = bs_read_ue( p_bs );
+ if( i_sps_id > H264_SPS_ID_MAX )
return false;
+ p_sps->i_id = i_sps_id;
if( i_profile_idc == PROFILE_H264_HIGH ||
i_profile_idc == PROFILE_H264_HIGH_10 ||
@@ -467,10 +468,12 @@ void h264_release_pps( h264_picture_parameter_set_t *p_pps )
static bool h264_parse_picture_parameter_set_rbsp( bs_t *p_bs,
h264_picture_parameter_set_t *p_pps )
{
- p_pps->i_id = bs_read_ue( p_bs ); // pps id
- p_pps->i_sps_id = bs_read_ue( p_bs ); // sps id
- if( p_pps->i_id >= H264_PPS_MAX || p_pps->i_sps_id >= H264_SPS_MAX )
+ uint32_t i_pps_id = bs_read_ue( p_bs ); // pps id
+ uint32_t i_sps_id = bs_read_ue( p_bs ); // sps id
+ if( i_pps_id > H264_PPS_ID_MAX || i_sps_id > H264_SPS_ID_MAX )
return false;
+ p_pps->i_id = i_pps_id;
+ p_pps->i_sps_id = i_sps_id;
bs_skip( p_bs, 1 ); // entropy coding mode flag
p_pps->i_pic_order_present_flag = bs_read( p_bs, 1 );
diff --git a/modules/packetizer/h264_nal.h b/modules/packetizer/h264_nal.h
index 201f1ae..3ba2f1b 100644
--- a/modules/packetizer/h264_nal.h
+++ b/modules/packetizer/h264_nal.h
@@ -41,8 +41,8 @@
#define PROFILE_H264_MVC_MULTIVIEW_DEPTH_HIGH 138
#define PROFILE_H264_MVC_ENHANCED_MULTIVIEW_DEPTH_HIGH 139
-#define H264_SPS_MAX (32)
-#define H264_PPS_MAX (256)
+#define H264_SPS_ID_MAX (31)
+#define H264_PPS_ID_MAX (255)
enum h264_nal_unit_type_e
{
@@ -84,7 +84,7 @@ void h264_release_pps( h264_picture_parameter_set_t * );
struct h264_sequence_parameter_set_t
{
- int i_id;
+ uint8_t i_id;
uint8_t i_profile, i_level;
uint8_t i_constraint_set_flags;
/* according to avcC, 3 bits max for those */
@@ -129,8 +129,8 @@ struct h264_sequence_parameter_set_t
struct h264_picture_parameter_set_t
{
- int i_id;
- int i_sps_id;
+ uint8_t i_id;
+ uint8_t i_sps_id;
int i_pic_order_present_flag;
};
More information about the vlc-commits
mailing list