Commit e3a9edee authored by Rémi Denis-Courmont's avatar Rémi Denis-Courmont

h264_nal: prevent infinite loops in PPS slice parsing

If X_minus_one == UINT32_MAX, the for-loop condition is always true.
This patch uses X directly: parsing will be wrong anyway, but at
least it won't lead to an infinite busy loop.
parent 7c898da4
......@@ -548,18 +548,19 @@ static bool h264_parse_picture_parameter_set_rbsp( bs_t *p_bs,
bs_skip( p_bs, 1 ); // entropy coding mode flag
p_pps->i_pic_order_present_flag = bs_read( p_bs, 1 );
unsigned num_slice_groups_minus1 = bs_read_ue( p_bs );
if( num_slice_groups_minus1 > 0 )
unsigned num_slice_groups = bs_read_ue( p_bs ) + 1;
if( num_slice_groups > 1 )
{
unsigned slice_group_map_type = bs_read_ue( p_bs );
if( slice_group_map_type == 0 )
{
for( unsigned i=0; i <= num_slice_groups_minus1; i++ )
for( unsigned i = 0; i < num_slice_groups; i++ )
bs_read_ue( p_bs ); /* run_length_minus1[group] */
}
else if( slice_group_map_type == 2 )
{
for( unsigned i=0; i <= num_slice_groups_minus1; i++ )
for( unsigned i = 0; i < num_slice_groups; i++ )
{
bs_read_ue( p_bs ); /* top_left[group] */
bs_read_ue( p_bs ); /* bottom_right[group] */
......@@ -572,14 +573,14 @@ static bool h264_parse_picture_parameter_set_rbsp( bs_t *p_bs,
}
else if( slice_group_map_type == 6 )
{
unsigned pic_size_in_maps_units_minus1 = bs_read_ue( p_bs );
unsigned pic_size_in_maps_units = bs_read_ue( p_bs ) + 1;
unsigned sliceGroupSize = 1;
while(num_slice_groups_minus1 > 0)
while(num_slice_groups > 1)
{
sliceGroupSize++;
num_slice_groups_minus1 >>= 1;
num_slice_groups = ((num_slice_groups - 1) >> 1) + 1;
}
for( unsigned i=0; i <= pic_size_in_maps_units_minus1; i++ )
for( unsigned i = 0; i < pic_size_in_maps_units; i++ )
{
bs_read( p_bs, sliceGroupSize );
}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment