[vlc-devel] [PATCH] h264_nal: prevent infinite loops in PPS slice parsing

RĂ©mi Denis-Courmont remi at remlab.net
Mon Nov 27 19:18:07 CET 2017 

If X_minus_one == UINT32_MAX, the for-loop condition is always true.
This patch uses X directly: parsing will be wrong anyway, but at
least it won't lead to an infinite busy loop.
---
 modules/packetizer/h264_nal.c | 17 +++++++++--------
 1 file changed, 9 insertions(+), 8 deletions(-)

diff --git a/modules/packetizer/h264_nal.c b/modules/packetizer/h264_nal.c
index dd3b270ed5..22fb99caf0 100644
--- a/modules/packetizer/h264_nal.c
+++ b/modules/packetizer/h264_nal.c
@@ -548,18 +548,19 @@ static bool h264_parse_picture_parameter_set_rbsp( bs_t *p_bs,
 
     bs_skip( p_bs, 1 ); // entropy coding mode flag
     p_pps->i_pic_order_present_flag = bs_read( p_bs, 1 );
-    unsigned num_slice_groups_minus1 = bs_read_ue( p_bs );
-    if( num_slice_groups_minus1 > 0 )
+
+    unsigned num_slice_groups = bs_read_ue( p_bs ) + 1;
+    if( num_slice_groups > 1 )
     {
         unsigned slice_group_map_type = bs_read_ue( p_bs );
         if( slice_group_map_type == 0 )
         {
-            for( unsigned i=0; i <= num_slice_groups_minus1; i++ )
+            for( unsigned i = 0; i < num_slice_groups; i++ )
                 bs_read_ue( p_bs ); /* run_length_minus1[group] */
         }
         else if( slice_group_map_type == 2 )
         {
-            for( unsigned i=0; i <= num_slice_groups_minus1; i++ )
+            for( unsigned i = 0; i < num_slice_groups; i++ )
             {
                 bs_read_ue( p_bs ); /* top_left[group] */
                 bs_read_ue( p_bs ); /* bottom_right[group] */
@@ -572,14 +573,14 @@ static bool h264_parse_picture_parameter_set_rbsp( bs_t *p_bs,
         }
         else if( slice_group_map_type == 6 )
         {
-            unsigned pic_size_in_maps_units_minus1 = bs_read_ue( p_bs );
+            unsigned pic_size_in_maps_units = bs_read_ue( p_bs ) + 1;
             unsigned sliceGroupSize = 1;
-            while(num_slice_groups_minus1 > 0)
+            while(num_slice_groups > 1)
             {
                 sliceGroupSize++;
-                num_slice_groups_minus1 >>= 1;
+                num_slice_groups = ((num_slice_groups - 1) >> 1) + 1;
             }
-            for( unsigned i=0; i <= pic_size_in_maps_units_minus1; i++ )
+            for( unsigned i = 0; i < pic_size_in_maps_units; i++ )
             {
                 bs_read( p_bs, sliceGroupSize );
             }
-- 
2.15.0

More information about the vlc-devel mailing list