Fixes possible invalid memory access for mismatching skipped/non-skipped
slice segments.
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Sample-Id: 00001533-google
---
libavcodec/hevc.c | 8 ++++++++
libavcodec/hevc.h | 2 ++
2 files changed, 10 insertions(+)
diff --git a/libavcodec/hevc.c b/libavcodec/hevc.c
index bc89b17..8d9324a 100644
--- a/libavcodec/hevc.c
+++ b/libavcodec/hevc.c
@@ -2471,6 +2471,7 @@ static int hevc_frame_start(HEVCContext *s)
lc->start_of_tiles_x = 0;
s->is_decoded = 0;
+ s->first_nal_type = s->nal_unit_type;
if (s->pps->tiles_enabled_flag)
lc->end_of_tiles_x = s->pps->column_width[0] << s->sps->log2_ctb_size;
@@ -2595,6 +2596,13 @@ static int decode_nal_unit(HEVCContext *s, const uint8_t
*nal, int length)
return AVERROR_INVALIDDATA;
}
+ if (s->nal_unit_type != s->first_nal_type) {
+ av_log(s->avctx, AV_LOG_ERROR,
+ "Non-matching NAL types of the VCL NALUs: %d %d\n",
+ s->first_nal_type, s->nal_unit_type);
+ return AVERROR_INVALIDDATA;
+ }
+
if (!s->sh.dependent_slice_segment_flag &&
s->sh.slice_type != I_SLICE) {
ret = ff_hevc_slice_rpl(s);
diff --git a/libavcodec/hevc.h b/libavcodec/hevc.h
index a674899..accfcb6 100644
--- a/libavcodec/hevc.h
+++ b/libavcodec/hevc.h
@@ -840,6 +840,8 @@ typedef struct HEVCContext {
HEVCNAL *nals;
int nb_nals;
int nals_allocated;
+ // type of the first VCL NAL of the current frame
+ enum NALUnitType first_nal_type;
// for checking the frame checksums
struct AVMD5 *md5_ctx;
--
1.7.10.4
_______________________________________________
libav-devel mailing list
[email protected]
https://lists.libav.org/mailman/listinfo/libav-devel
