[FFmpeg-cvslog] avcodec/h264: Disallow pps_id changing between slices

Michael Niedermayer git at videolan.org
Tue Feb 4 00:08:27 CET 2014


ffmpeg | branch: master | Michael Niedermayer <michaelni at gmx.at> | Mon Feb  3 23:52:38 2014 +0100| [e708424b70bef8641e8a090ec4d9e8c4490db87e] | committer: Michael Niedermayer

avcodec/h264: Disallow pps_id changing between slices

Such changes are forbidden in H.264 and lead to race conditions

Fixes out of array read
Fixes: signal_sigsegv_f9796a_1613_cov_3114610371_FM1_BT_B.h264
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni at gmx.at>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=e708424b70bef8641e8a090ec4d9e8c4490db87e
---

 libavcodec/h264.c |   10 ++++++++++
 libavcodec/h264.h |    2 ++
 2 files changed, 12 insertions(+)

diff --git a/libavcodec/h264.c b/libavcodec/h264.c
index 83f4c58..9fa2954 100644
--- a/libavcodec/h264.c
+++ b/libavcodec/h264.c
@@ -3509,6 +3509,12 @@ static int decode_slice_header(H264Context *h, H264Context *h0)
                pps_id);
         return AVERROR_INVALIDDATA;
     }
+    if (h0->au_pps_id >= 0 && pps_id != h0->au_pps_id) {
+        av_log(h->avctx, AV_LOG_ERROR,
+               "PPS change from %d to %d forbidden\n",
+               h0->au_pps_id, pps_id);
+        return AVERROR_INVALIDDATA;
+    }
     h->pps = *h0->pps_buffers[pps_id];
 
     if (!h0->sps_buffers[h->pps.sps_id]) {
@@ -4104,6 +4110,7 @@ static int decode_slice_header(H264Context *h, H264Context *h0)
     if (h->ref_count[0]) h->er.last_pic = &h->ref_list[0][0];
     if (h->ref_count[1]) h->er.next_pic = &h->ref_list[1][0];
     h->er.ref_count = h->ref_count[0];
+    h0->au_pps_id = pps_id;
 
     if (h->avctx->debug & FF_DEBUG_PICT_INFO) {
         av_log(h->avctx, AV_LOG_DEBUG,
@@ -4872,6 +4879,9 @@ static int decode_nal_units(H264Context *h, const uint8_t *buf, int buf_size,
                 continue;
 
 again:
+            if (   !(avctx->active_thread_type & FF_THREAD_FRAME)
+                || nals_needed >= nal_index)
+                h->au_pps_id = -1;
             /* Ignore per frame NAL unit type during extradata
              * parsing. Decoding slices is not possible in codec init
              * with frame-mt */
diff --git a/libavcodec/h264.h b/libavcodec/h264.h
index 916f104..6606d0b 100644
--- a/libavcodec/h264.h
+++ b/libavcodec/h264.h
@@ -390,6 +390,8 @@ typedef struct H264Context {
      */
     PPS pps; // FIXME move to Picture perhaps? (->no) do we need that?
 
+    int au_pps_id; ///< pps_id of current access unit
+
     uint32_t dequant4_buffer[6][QP_MAX_NUM + 1][16]; // FIXME should these be moved down?
     uint32_t dequant8_buffer[6][QP_MAX_NUM + 1][64];
     uint32_t(*dequant4_coeff[6])[16];



More information about the ffmpeg-cvslog mailing list