[vlc-devel] [PATCH] packetizer/h264: fix 17585: prevent overflow leading to crash

Fri Nov 4 11:15:31 CET 2016

Le 01/11/2016 à 03:23, Filip Roséen a écrit :

> -        msg_Dbg( p_dec, "found NAL_PPS (pps_id=%d sps_id=%d)", p_pps->i_id, p_pps->i_sps_id );
> +    {
> +        msg_Dbg( p_dec, "found NAL_PPS (pps_id=%" PRIu32 " sps_id=%" PRIu32 ")",
> +            p_pps->i_id, p_pps->i_sps_id );
> +    }
> +
>      p_sys->b_pps = true;

That fix in incorrect and allows overflows, thus not detecting broken
SPS, which would be passed to decoder.

Also keeps bloating structs without reason. No id will ever require more
than 1 byte.

Francois

>  
>  struct h264_sequence_parameter_set_t
>  {
> -    int i_id;
> +    uint32_t i_id;
>      uint8_t i_profile, i_level;
>      uint8_t i_constraint_set_flags;
>      /* according to avcC, 3 bits max for those */
> @@ -129,8 +129,8 @@ struct h264_sequence_parameter_set_t
>  
>  struct h264_picture_parameter_set_t
>  {
> -    int i_id;
> -    int i_sps_id;
> +    uint32_t i_id;
> +    uint32_t i_sps_id;
>      int i_pic_order_present_flag;
>  };
>  
> 