[FFmpeg-cvslog] h264: Add check for invalid chroma_format_idc

Alexander Strange git at videolan.org
Mon Jun 4 13:13:41 CEST 2012


ffmpeg | branch: release/0.7 | Alexander Strange <astrange at ithinksw.com> | Sat Mar 24 17:32:14 2012 -0400| [c5f7c755cfccd7aa01010a2d566104c2b0fa6d86] | committer: Reinhard Tartler

h264: Add check for invalid chroma_format_idc

Fixes a crash when FF_DEBUG_PICT_INFO is used.

Signed-off-by: Ronald S. Bultje <rsbultje at gmail.com>
(cherry picked from commit 6ef4063957aa5025c8d2cd757b6a537e4b6874df)

Fixes: CVE-2012-0851

Signed-off-by: Reinhard Tartler <siretart at tauware.de>
(cherry picked from commit 47132345184dc3d0ff962a57a1225564fe979548)

Signed-off-by: Reinhard Tartler <siretart at tauware.de>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=c5f7c755cfccd7aa01010a2d566104c2b0fa6d86
---

 libavcodec/h264_ps.c |    6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/libavcodec/h264_ps.c b/libavcodec/h264_ps.c
index fe988e9..9eeff59 100644
--- a/libavcodec/h264_ps.c
+++ b/libavcodec/h264_ps.c
@@ -329,8 +329,12 @@ int ff_h264_decode_seq_parameter_set(H264Context *h){
 
     if(sps->profile_idc >= 100){ //high profile
         sps->chroma_format_idc= get_ue_golomb_31(&s->gb);
-        if(sps->chroma_format_idc == 3)
+        if(sps->chroma_format_idc > 3) {
+            av_log(h->s.avctx, AV_LOG_ERROR, "chroma_format_idc (%u) out of range\n", sps->chroma_format_idc);
+            return -1;
+        } else if(sps->chroma_format_idc == 3) {
             sps->residual_color_transform_flag = get_bits1(&s->gb);
+        }
         sps->bit_depth_luma   = get_ue_golomb(&s->gb) + 8;
         sps->bit_depth_chroma = get_ue_golomb(&s->gb) + 8;
         sps->transform_bypass = get_bits1(&s->gb);



More information about the ffmpeg-cvslog mailing list