[Ffmpeg-devel] h264 decoder bug

[Cameron Alderton]

There is a nasty little bug in h264.c.

In function decode_residual(), the variable total_coeff is assigned through
a call to pred_non_zero_count() which limits the return value to a maximum
of 31, however the variable total_coeff is then used to access the elements
in the coeff_token_table_index array which only contains 16 items. As you
would expect, this causes a crash.