Really fix H264 packetizing: abort PacketizeAVC1() if computed size is too huge

(cherry picked from commit 96fca586)

Really fix H264 packetizing: abort PacketizeAVC1() if computed size is too huge
(cherry picked from commit 96fca586)
f928f7db · Rafaël Carré · ba61d7b9 · f928f7db
Commit f928f7db authored Mar 31, 2008 by Rafaël Carré
Show whitespace changes
Inline Side-by-side

Showing with 15 additions and 14 deletions

modules/packetizer/h264.c modules/packetizer/h264.c +15 -14

No files found.
--- a/modules/packetizer/h264.c
+++ b/modules/packetizer/h264.c
@@ -443,14 +443,16 @@ static block_t *PacketizeAVC1( decoder_t *p_dec, block_t **pp_block )
            i_size = (i_size << 8) | (*p++);
        }

-        if( i_size > 0 && i_size < p_block->i_buffer )
+        if( i_size <= 0 ||
+            i_size >= ( p - p_block->p_buffer + p_block->i_buffer ) )
        {
+            msg_Err( p_dec, "Broken frame : size %d is too big", i_size );
+            break;
+        }
+
        block_t *p_part = nal_get_annexeb( p_dec, p, i_size );
        if( !p_part )
-            {
-                block_Release( p_block );
-                return NULL;
-            }
+            break;
        p_part->i_dts = p_block->i_dts;
        p_part->i_pts = p_block->i_pts;

@@ -459,7 +461,6 @@ static block_t *PacketizeAVC1( decoder_t *p_dec, block_t **pp_block )
        {
            block_ChainAppend( &p_ret, p_pic );
        }
-        }
        p += i_size;
    }
    block_Release( p_block );