Avoid SPS and PPS id array out of bounds in h264 parser

Fixes ticket tvheadend#467
romanlum · May 18, 2011 · 8281379 · 8281379
1 parent e9d2c11
commit 8281379
Showing 1 changed file with 10 additions and 0 deletions.
diff --git a/src/parser_h264.c b/src/parser_h264.c
@@ -239,6 +239,8 @@ h264_decode_seq_parameter_set(elementary_stream_t *st, bitstream_t *bs)
   level_idc= read_bits(bs, 8);
   sps_id= read_golomb_ue(bs);
 
+  if(sps_id > 255)
+    return -1;
 
   i = 0;
   while(h264_lev2cpbsize[i][0] != -1) {
@@ -337,7 +339,12 @@ h264_decode_pic_parameter_set(elementary_stream_t *st, bitstream_t *bs)
     p = st->es_priv = calloc(1, sizeof(h264_private_t));
 
   pps_id = read_golomb_ue(bs);
+  if(pps_id > 255)
+    return 0;
   sps_id = read_golomb_ue(bs);
+  if(sps_id > 255)
+    return -1;
+
   p->pps[pps_id].sps = sps_id;
   return 0;
 }
@@ -374,6 +381,9 @@ h264_decode_slice_header(elementary_stream_t *st, bitstream_t *bs, int *pkttype,
   }
 
   pps_id = read_golomb_ue(bs);
+  if(pps_id > 255)
+    return -1;
+
   sps_id = p->pps[pps_id].sps;
   if(p->sps[sps_id].max_frame_num_bits == 0)
     return -1;