[Ffmpeg-devel] h264 decoder bug

Cameron Alderton c.alderton
Wed Aug 16 14:49:57 CEST 2006


There is a nasty little bug in h264.c.

In function decode_residual(), the variable total_coeff is assigned through
a call to pred_non_zero_count() which limits the return value to a maximum
of 31, however the variable total_coeff is then used to access the elements
in the coeff_token_table_index array which only contains 16 items. As you
would expect, this causes a crash.





More information about the ffmpeg-devel mailing list