Commit 704a10e1 authored by François Cartegnie's avatar François Cartegnie 🤞
Browse files

packetizer: h264: fix read check on total avcc size computation

parent 8c097743
......@@ -216,9 +216,9 @@ static block_t *PacketizeBlock( decoder_t *p_dec, block_t **pp_block )
return NULL;
break;
}
/* Even frame size is likely incorrect FSIZE #18166.
* Sync minus one byte, we can always sync 1 byte further */
p_sys->i_input_size = p_sys->i_next_offset
/* Even frame size is likely incorrect FSIZE.
* Sync minus one byte, we can always sync 1 byte further */
= (p_sys->dts.i_frame_size % 2) ? p_sys->dts.i_frame_size - 1
: p_sys->dts.i_frame_size;
p_sys->i_state = STATE_NEXT_SYNC;
......
......@@ -101,12 +101,12 @@ static size_t get_avcC_to_AnnexB_NAL_size( const uint8_t *p_buf, size_t i_buf )
{
size_t i_total = 0;
p_buf += 5;
i_buf -= 5;
if( i_buf < H264_MIN_AVCC_SIZE )
return 0;
p_buf += 5;
i_buf -= 5;
for ( unsigned int j = 0; j < 2; j++ )
{
/* First time is SPS, Second is PPS */
......@@ -115,6 +115,9 @@ static size_t get_avcC_to_AnnexB_NAL_size( const uint8_t *p_buf, size_t i_buf )
for ( unsigned int i = 0; i < i_loop_end; i++ )
{
if( i_buf < 2 )
return 0;
uint16_t i_nal_size = (p_buf[0] << 8) | p_buf[1];
if(i_nal_size > i_buf - 2)
return 0;
......@@ -122,6 +125,9 @@ static size_t get_avcC_to_AnnexB_NAL_size( const uint8_t *p_buf, size_t i_buf )
p_buf += i_nal_size + 2;
i_buf -= i_nal_size + 2;
}
if( j == 0 && i_buf < 1 )
return 0;
}
return i_total;
}
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment