[vlc-commits] h264_nal: prevent infinite loops in PPS slice parsing

Rémi Denis-Courmont git at videolan.org
Tue Nov 28 17:42:13 CET 2017 

vlc | branch: master | Rémi Denis-Courmont <remi at remlab.net> | Mon Nov 27 20:15:33 2017 +0200| [e3a9edee12661f798c4d405a79e4e105cde74129] | committer: Rémi Denis-Courmont

h264_nal: prevent infinite loops in PPS slice parsing

If X_minus_one == UINT32_MAX, the for-loop condition is always true.
This patch uses X directly: parsing will be wrong anyway, but at
least it won't lead to an infinite busy loop.

> http://git.videolan.org/gitweb.cgi/vlc.git/?a=commit;h=e3a9edee12661f798c4d405a79e4e105cde74129
---

 modules/packetizer/h264_nal.c | 17 +++++++++--------
 1 file changed, 9 insertions(+), 8 deletions(-)

diff --git a/modules/packetizer/h264_nal.c b/modules/packetizer/h264_nal.c
index dd3b270ed5..22fb99caf0 100644
--- a/modules/packetizer/h264_nal.c
+++ b/modules/packetizer/h264_nal.c
@@ -548,18 +548,19 @@ static bool h264_parse_picture_parameter_set_rbsp( bs_t *p_bs,
 
     bs_skip( p_bs, 1 ); // entropy coding mode flag
     p_pps->i_pic_order_present_flag = bs_read( p_bs, 1 );
-    unsigned num_slice_groups_minus1 = bs_read_ue( p_bs );
-    if( num_slice_groups_minus1 > 0 )
+
+    unsigned num_slice_groups = bs_read_ue( p_bs ) + 1;
+    if( num_slice_groups > 1 )
     {
         unsigned slice_group_map_type = bs_read_ue( p_bs );
         if( slice_group_map_type == 0 )
         {
-            for( unsigned i=0; i <= num_slice_groups_minus1; i++ )
+            for( unsigned i = 0; i < num_slice_groups; i++ )
                 bs_read_ue( p_bs ); /* run_length_minus1[group] */
         }
         else if( slice_group_map_type == 2 )
         {
-            for( unsigned i=0; i <= num_slice_groups_minus1; i++ )
+            for( unsigned i = 0; i < num_slice_groups; i++ )
             {
                 bs_read_ue( p_bs ); /* top_left[group] */
                 bs_read_ue( p_bs ); /* bottom_right[group] */
@@ -572,14 +573,14 @@ static bool h264_parse_picture_parameter_set_rbsp( bs_t *p_bs,
         }
         else if( slice_group_map_type == 6 )
         {
-            unsigned pic_size_in_maps_units_minus1 = bs_read_ue( p_bs );
+            unsigned pic_size_in_maps_units = bs_read_ue( p_bs ) + 1;
             unsigned sliceGroupSize = 1;
-            while(num_slice_groups_minus1 > 0)
+            while(num_slice_groups > 1)
             {
                 sliceGroupSize++;
-                num_slice_groups_minus1 >>= 1;
+                num_slice_groups = ((num_slice_groups - 1) >> 1) + 1;
             }
-            for( unsigned i=0; i <= pic_size_in_maps_units_minus1; i++ )
+            for( unsigned i = 0; i < pic_size_in_maps_units; i++ )
             {
                 bs_read( p_bs, sliceGroupSize );
             }

More information about the vlc-commits mailing list