Commit f63ee9ba authored by François Cartegnie's avatar François Cartegnie 🤞

packetizer: h264: fix invalid deref (fix #17585)

parent 34142f6b
......@@ -313,7 +313,7 @@ static int H264SetCSD(decoder_t *p_dec, void *p_buf, size_t i_size,
/* Compare the SPS PPS with the old one */
if (!CSDCmp(p_dec, csd, i_csd_count))
{
msg_Warn(p_dec, "New SPS/PPS found, id: %d size: %ux%u sps: %d pps: %d",
msg_Warn(p_dec, "New SPS/PPS found, id: %" PRIu8 " size: %ux%u sps: %d pps: %d",
p_sps->i_id, vsize[0], vsize[1],
i_sps_size, i_pps_size);
......
......@@ -101,8 +101,8 @@ struct decoder_sys_t
bool b_header;
bool b_sps;
bool b_pps;
block_t *pp_sps[H264_SPS_MAX];
block_t *pp_pps[H264_PPS_MAX];
block_t *pp_sps[H264_SPS_ID_MAX + 1];
block_t *pp_pps[H264_PPS_ID_MAX + 1];
int i_recovery_frames; /* -1 = no recovery */
/* avcC data */
......@@ -211,9 +211,9 @@ static int Open( vlc_object_t *p_this )
p_sys->b_header= false;
p_sys->b_sps = false;
p_sys->b_pps = false;
for( i = 0; i < H264_SPS_MAX; i++ )
for( i = 0; i <= H264_SPS_ID_MAX; i++ )
p_sys->pp_sps[i] = NULL;
for( i = 0; i < H264_PPS_MAX; i++ )
for( i = 0; i <= H264_PPS_ID_MAX; i++ )
p_sys->pp_pps[i] = NULL;
p_sys->i_recovery_frames = -1;
......@@ -328,12 +328,12 @@ static void Close( vlc_object_t *p_this )
if( p_sys->p_frame )
block_ChainRelease( p_sys->p_frame );
for( i = 0; i < H264_SPS_MAX; i++ )
for( i = 0; i < H264_SPS_ID_MAX; i++ )
{
if( p_sys->pp_sps[i] )
block_Release( p_sys->pp_sps[i] );
}
for( i = 0; i < H264_PPS_MAX; i++ )
for( i = 0; i < H264_PPS_ID_MAX; i++ )
{
if( p_sys->pp_pps[i] )
block_Release( p_sys->pp_pps[i] );
......@@ -578,12 +578,12 @@ static block_t *OutputPicture( decoder_t *p_dec )
block_t *p_list = NULL;
block_t **pp_list_tail = &p_list;
for( int i = 0; i < H264_SPS_MAX && (b_sps_pps_i || p_sys->b_frame_sps); i++ )
for( int i = 0; i <= H264_SPS_ID_MAX && (b_sps_pps_i || p_sys->b_frame_sps); i++ )
{
if( p_sys->pp_sps[i] )
block_ChainLastAppend( &pp_list_tail, block_Duplicate( p_sys->pp_sps[i] ) );
}
for( int i = 0; i < H264_PPS_MAX && (b_sps_pps_i || p_sys->b_frame_pps); i++ )
for( int i = 0; i < H264_PPS_ID_MAX && (b_sps_pps_i || p_sys->b_frame_pps); i++ )
{
if( p_sys->pp_pps[i] )
block_ChainLastAppend( &pp_list_tail, block_Duplicate( p_sys->pp_pps[i] ) );
......
......@@ -215,9 +215,10 @@ static bool h264_parse_sequence_parameter_set_rbsp( bs_t *p_bs,
p_sps->i_constraint_set_flags = bs_read( p_bs, 8 );
p_sps->i_level = bs_read( p_bs, 8 );
/* sps id */
p_sps->i_id = bs_read_ue( p_bs );
if( p_sps->i_id >= H264_SPS_MAX )
uint32_t i_sps_id = bs_read_ue( p_bs );
if( i_sps_id > H264_SPS_ID_MAX )
return false;
p_sps->i_id = i_sps_id;
if( i_profile_idc == PROFILE_H264_HIGH ||
i_profile_idc == PROFILE_H264_HIGH_10 ||
......@@ -467,10 +468,12 @@ void h264_release_pps( h264_picture_parameter_set_t *p_pps )
static bool h264_parse_picture_parameter_set_rbsp( bs_t *p_bs,
h264_picture_parameter_set_t *p_pps )
{
p_pps->i_id = bs_read_ue( p_bs ); // pps id
p_pps->i_sps_id = bs_read_ue( p_bs ); // sps id
if( p_pps->i_id >= H264_PPS_MAX || p_pps->i_sps_id >= H264_SPS_MAX )
uint32_t i_pps_id = bs_read_ue( p_bs ); // pps id
uint32_t i_sps_id = bs_read_ue( p_bs ); // sps id
if( i_pps_id > H264_PPS_ID_MAX || i_sps_id > H264_SPS_ID_MAX )
return false;
p_pps->i_id = i_pps_id;
p_pps->i_sps_id = i_sps_id;
bs_skip( p_bs, 1 ); // entropy coding mode flag
p_pps->i_pic_order_present_flag = bs_read( p_bs, 1 );
......
......@@ -41,8 +41,8 @@
#define PROFILE_H264_MVC_MULTIVIEW_DEPTH_HIGH 138
#define PROFILE_H264_MVC_ENHANCED_MULTIVIEW_DEPTH_HIGH 139
#define H264_SPS_MAX (32)
#define H264_PPS_MAX (256)
#define H264_SPS_ID_MAX (31)
#define H264_PPS_ID_MAX (255)
enum h264_nal_unit_type_e
{
......@@ -84,7 +84,7 @@ void h264_release_pps( h264_picture_parameter_set_t * );
struct h264_sequence_parameter_set_t
{
int i_id;
uint8_t i_id;
uint8_t i_profile, i_level;
uint8_t i_constraint_set_flags;
/* according to avcC, 3 bits max for those */
......@@ -129,8 +129,8 @@ struct h264_sequence_parameter_set_t
struct h264_picture_parameter_set_t
{
int i_id;
int i_sps_id;
uint8_t i_id;
uint8_t i_sps_id;
int i_pic_order_present_flag;
};
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment