Commit 96fca586 authored by Rafaël Carré's avatar Rafaël Carré Committed by Jean-Paul Saman

Really fix H264 packetizing: abort PacketizeAVC1() if computed size is too huge

parent ab4e8a39
...@@ -447,22 +447,23 @@ static block_t *PacketizeAVC1( decoder_t *p_dec, block_t **pp_block ) ...@@ -447,22 +447,23 @@ static block_t *PacketizeAVC1( decoder_t *p_dec, block_t **pp_block )
i_size = (i_size << 8) | (*p++); i_size = (i_size << 8) | (*p++);
} }
if( i_size > 0 && i_size < p_block->i_buffer ) if( i_size <= 0 ||
i_size >= ( p - p_block->p_buffer + p_block->i_buffer ) )
{ {
block_t *p_part = nal_get_annexeb( p_dec, p, i_size ); msg_Err( p_dec, "Broken frame : size %d is too big", i_size );
if( !p_part ) break;
{ }
block_Release( p_block );
return NULL;
}
p_part->i_dts = p_block->i_dts;
p_part->i_pts = p_block->i_pts;
/* Parse the NAL */ block_t *p_part = nal_get_annexeb( p_dec, p, i_size );
if( ( p_pic = ParseNALBlock( p_dec, p_part ) ) ) if( !p_part )
{ break;
block_ChainAppend( &p_ret, p_pic ); p_part->i_dts = p_block->i_dts;
} p_part->i_pts = p_block->i_pts;
/* Parse the NAL */
if( ( p_pic = ParseNALBlock( p_dec, p_part ) ) )
{
block_ChainAppend( &p_ret, p_pic );
} }
p += i_size; p += i_size;
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment