[vlc-commits] packetizer: h264: check hdr parameters loop (fix #17590)

[Francois Cartegnie]

vlc | branch: master | Francois Cartegnie <fcvlcdev at free.fr> | Wed Nov  2 15:02:10 2016 +0100| [28c0aa81ae4df27f3a7366eaee24f54d22db6f88] | committer: Francois Cartegnie

packetizer: h264: check hdr parameters loop (fix #17590)

> http://git.videolan.org/gitweb.cgi/vlc.git/?a=commit;h=28c0aa81ae4df27f3a7366eaee24f54d22db6f88
---

 modules/packetizer/h264_nal.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/modules/packetizer/h264_nal.c b/modules/packetizer/h264_nal.c
index ec6230f..09744c3 100644
--- a/modules/packetizer/h264_nal.c
+++ b/modules/packetizer/h264_nal.c
@@ -433,10 +433,14 @@ static bool h264_parse_sequence_parameter_set_rbsp( bs_t *p_bs,
             {
                 p_sps->vui.b_hrd_parameters_present_flag = true;
                 uint32_t count = bs_read_ue( p_bs ) + 1;
+                if( count > 31 )
+                    return false;
                 bs_read( p_bs, 4 );
                 bs_read( p_bs, 4 );
                 for( uint32_t i=0; i<count; i++ )
                 {
+                    if( bs_remain( p_bs ) < 23 )
+                        return false;
                     bs_read_ue( p_bs );
                     bs_read_ue( p_bs );
                     bs_read( p_bs, 1 );