diff options
author | Andrew Wesie <andrew@theori.io> | 2020-10-16 12:29:02 +0100 |
---|---|---|
committer | Tim-Philipp Müller <tim@centricular.com> | 2020-10-16 14:58:47 +0100 |
commit | 026f1550b1fa7e8e13a8fb44eeebf292f3825ad1 (patch) | |
tree | adbe58ea81439a0b393a798ef704aa75dfc7c4b0 | |
parent | 5128cbd398f2855cda82c0166c47481e59d48db9 (diff) |
codecparsers: h264parser: guard against ref_pic_markings overflow
-rw-r--r-- | gst-libs/gst/codecparsers/gsth264parser.c | 10 |
1 files changed, 7 insertions, 3 deletions
diff --git a/gst-libs/gst/codecparsers/gsth264parser.c b/gst-libs/gst/codecparsers/gsth264parser.c index 4617760c0..eb063cbaf 100644 --- a/gst-libs/gst/codecparsers/gsth264parser.c +++ b/gst-libs/gst/codecparsers/gsth264parser.c @@ -712,13 +712,17 @@ gst_h264_slice_parse_dec_ref_pic_marking (GstH264SliceHdr * slice, dec_ref_pic_m->n_ref_pic_marking = 0; while (1) { - refpicmarking = - &dec_ref_pic_m->ref_pic_marking[dec_ref_pic_m->n_ref_pic_marking]; - READ_UE (nr, mem_mgmt_ctrl_op); if (mem_mgmt_ctrl_op == 0) break; + if (dec_ref_pic_m->n_ref_pic_marking >= + G_N_ELEMENTS (dec_ref_pic_m->ref_pic_marking)) + goto error; + + refpicmarking = + &dec_ref_pic_m->ref_pic_marking[dec_ref_pic_m->n_ref_pic_marking]; + refpicmarking->memory_management_control_operation = mem_mgmt_ctrl_op; if (mem_mgmt_ctrl_op == 1 || mem_mgmt_ctrl_op == 3) |