[FFmpeg-cvslog] h264_cavlc: check the size of the intra PCM data.

Mon Mar 10 18:24:33 CET 2014

ffmpeg | branch: release/0.10 | Anton Khirnov <anton at khirnov.net> | Fri Nov 15 09:42:26 2013 +0100| [23144c5f060de1863859308eab4bc888b817840c] | committer: Reinhard Tartler

h264_cavlc: check the size of the intra PCM data.

Fixes invalid reads.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC:libav-stable at libav.org

(cherry picked from commit b5275ca1a805436ca12540c34dd5ed1671877434)
Signed-off-by: Reinhard Tartler <siretart at tauware.de>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=23144c5f060de1863859308eab4bc888b817840c
---

 libavcodec/h264_cavlc.c |    4 ++++
 1 file changed, 4 insertions(+)

diff --git a/libavcodec/h264_cavlc.c b/libavcodec/h264_cavlc.c
index da9e1cb..5e3c79d 100644
--- a/libavcodec/h264_cavlc.c
+++ b/libavcodec/h264_cavlc.c
@@ -769,6 +769,10 @@ decode_intra_mb:
 
         // We assume these blocks are very rare so we do not optimize it.
         align_get_bits(&s->gb);
+        if (get_bits_left(&s->gb) < mb_size) {
+            av_log(s->avctx, AV_LOG_ERROR, "Not enough data for an intra PCM block.\n");
+            return AVERROR_INVALIDDATA;
+        }
 
         // The pixels are stored in the same order as levels in h->mb array.
         for(x=0; x < mb_size; x++){

