codecparsers: h264parser: guard against ref_pic_markings overflow

author: Andrew Wesie <andrew@theori.io> 2020-10-16 12:29:02 +0100
committer: Tim-Philipp Müller <tim@centricular.com> 2020-10-16 14:58:47 +0100
commit: 026f1550b1fa7e8e13a8fb44eeebf292f3825ad1 (patch)
tree: adbe58ea81439a0b393a798ef704aa75dfc7c4b0
parent: 5128cbd398f2855cda82c0166c47481e59d48db9 (diff)
1 files changed, 7 insertions, 3 deletions
diff --git a/gst-libs/gst/codecparsers/gsth264parser.c b/gst-libs/gst/codecparsers/gsth264parser.c
index 4617760c0..eb063cbaf 100644
--- a/gst-libs/gst/codecparsers/gsth264parser.c
+++ b/gst-libs/gst/codecparsers/gsth264parser.c
@@ -712,13 +712,17 @@ gst_h264_slice_parse_dec_ref_pic_marking (GstH264SliceHdr * slice,
 
       dec_ref_pic_m->n_ref_pic_marking = 0;
       while (1) {
-        refpicmarking =
-            &dec_ref_pic_m->ref_pic_marking[dec_ref_pic_m->n_ref_pic_marking];
-
         READ_UE (nr, mem_mgmt_ctrl_op);
         if (mem_mgmt_ctrl_op == 0)
           break;
 
+        if (dec_ref_pic_m->n_ref_pic_marking >=
+            G_N_ELEMENTS (dec_ref_pic_m->ref_pic_marking))
+          goto error;
+
+        refpicmarking =
+            &dec_ref_pic_m->ref_pic_marking[dec_ref_pic_m->n_ref_pic_marking];
+
         refpicmarking->memory_management_control_operation = mem_mgmt_ctrl_op;
 
         if (mem_mgmt_ctrl_op == 1 || mem_mgmt_ctrl_op == 3)
author	Andrew Wesie <andrew@theori.io>	2020-10-16 12:29:02 +0100
committer	Tim-Philipp Müller <tim@centricular.com>	2020-10-16 14:58:47 +0100
commit	026f1550b1fa7e8e13a8fb44eeebf292f3825ad1 (patch)
tree	adbe58ea81439a0b393a798ef704aa75dfc7c4b0
parent	5128cbd398f2855cda82c0166c47481e59d48db9 (diff)