[FFmpeg-cvslog] avcodec/h264: Be more strict on rejecting pps/sps changes

Michael Niedermayer git at videolan.org
Wed Feb 11 13:24:23 CET 2015 

ffmpeg | branch: release/1.2 | Michael Niedermayer <michaelni at gmx.at> | Fri Feb  6 15:09:54 2015 +0100| [763c7533483b332bfe2064df4de43056f3935d84] | committer: Michael Niedermayer

avcodec/h264: Be more strict on rejecting pps/sps changes

Fixes race condition
Fixes: signal_sigsegv_1472ac3_468_cov_2915641226_CABACI3_Sony_B.jsv

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni at gmx.at>
(cherry picked from commit 6fafc62b0bd0e206deb77a7aabbf3a370ad80789)

Conflicts:

	libavcodec/h264.c

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=763c7533483b332bfe2064df4de43056f3935d84
---

 libavcodec/h264.c |   19 +++++++++++++++----
 1 file changed, 15 insertions(+), 4 deletions(-)

diff --git a/libavcodec/h264.c b/libavcodec/h264.c
index 65e53ac..f4b19a0 100644
--- a/libavcodec/h264.c
+++ b/libavcodec/h264.c
@@ -3147,6 +3147,8 @@ static int decode_slice_header(H264Context *h, H264Context *h0)
     int last_pic_structure, last_pic_droppable;
     int must_reinit;
     int needs_reinit = 0;
+    int first_slice = h == h0 && !h0->current_slice;
+    PPS *pps;
 
     h->me.qpel_put = h->h264qpel.put_h264_qpel_pixels_tab;
     h->me.qpel_avg = h->h264qpel.avg_h264_qpel_pixels_tab;
@@ -3200,17 +3202,26 @@ static int decode_slice_header(H264Context *h, H264Context *h0)
                pps_id);
         return -1;
     }
-    h->pps = *h0->pps_buffers[pps_id];
 
-    if (!h0->sps_buffers[h->pps.sps_id]) {
+    pps = h0->pps_buffers[pps_id];
+
+    if (!h0->sps_buffers[pps->sps_id]) {
         av_log(h->avctx, AV_LOG_ERROR,
                "non-existing SPS %u referenced\n",
                h->pps.sps_id);
         return -1;
     }
+    if (first_slice)
+        h->pps = *h0->pps_buffers[pps_id];
+
+    if (pps->sps_id != h->current_sps_id ||
+        h0->sps_buffers[pps->sps_id]->new) {
 
-    if (h->pps.sps_id != h->current_sps_id ||
-        h0->sps_buffers[h->pps.sps_id]->new) {
+        if (!first_slice) {
+            av_log(h->avctx, AV_LOG_ERROR,
+               "SPS changed in the middle of the frame\n");
+            return AVERROR_INVALIDDATA;
+        }
         h0->sps_buffers[h->pps.sps_id]->new = 0;
 
         h->current_sps_id = h->pps.sps_id;

More information about the ffmpeg-cvslog mailing list