On Mon, Nov 26, 2012 at 01:06:18PM +0100, Janne Grunau wrote: > Fixes infinitive or long taking loop in frame num gap code in > the fuzzed sample bipbop234.ts_s223302. > > CC: libav-sta...@libav.org > --- > libavcodec/h264_ps.c | 9 +++++++++ > 1 file changed, 9 insertions(+) > > diff --git a/libavcodec/h264_ps.c b/libavcodec/h264_ps.c > index 810f69f..dc6b676 100644 > --- a/libavcodec/h264_ps.c > +++ b/libavcodec/h264_ps.c > @@ -37,6 +37,9 @@ > //#undef NDEBUG > #include <assert.h> > > +#define MAX_LOG2_MAX_FRAME_NUM (12 + 4) > +#define MIN_LOG2_MAX_FRAME_NUM 4 > + > static const AVRational pixel_aspect[17]={ > {0, 1}, > {1, 1}, > @@ -349,6 +352,12 @@ int ff_h264_decode_seq_parameter_set(H264Context *h){ > } > > sps->log2_max_frame_num= get_ue_golomb(&s->gb) + 4; > + if (sps->log2_max_frame_num > MAX_LOG2_MAX_FRAME_NUM || > + sps->log2_max_frame_num < MIN_LOG2_MAX_FRAME_NUM) { > + av_log(h->s.avctx, AV_LOG_ERROR, "log2_max_frame_num out of range " > + "(4-16): %d\n", sps->log2_max_frame_num); > + return AVERROR_INVALIDDATA; > + } > sps->poc_type= get_ue_golomb_31(&s->gb); > > if(sps->poc_type == 0){ //FIXME #define > --
LGTM though I suspect it's useless to check for the minimum size (unless it overflows). _______________________________________________ libav-devel mailing list libav-devel@libav.org https://lists.libav.org/mailman/listinfo/libav-devel