summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrew Wesie <andrew@theori.io>2020-10-16 12:29:02 +0100
committerTim-Philipp Müller <tim@centricular.com>2020-10-16 14:57:43 +0100
commitbd3532008f2a12377c2d5b56e93cbfa53e1979cf (patch)
treedf17c7345fb1d7b3fbac2a14a25a9c84f46dbe3e
parentf5589e00f826e05182aad43f00ea2091f2673463 (diff)
codecparsers: h264parser: guard against ref_pic_markings overflow1.18
Part-of: <https://gitlab.freedesktop.org/gstreamer/gst-plugins-bad/-/merge_requests/1704>
-rw-r--r--gst-libs/gst/codecparsers/gsth264parser.c10
1 files changed, 7 insertions, 3 deletions
diff --git a/gst-libs/gst/codecparsers/gsth264parser.c b/gst-libs/gst/codecparsers/gsth264parser.c
index 1c40b6517..012f1d0d7 100644
--- a/gst-libs/gst/codecparsers/gsth264parser.c
+++ b/gst-libs/gst/codecparsers/gsth264parser.c
@@ -723,13 +723,17 @@ gst_h264_slice_parse_dec_ref_pic_marking (GstH264SliceHdr * slice,
dec_ref_pic_m->n_ref_pic_marking = 0;
while (1) {
- refpicmarking =
- &dec_ref_pic_m->ref_pic_marking[dec_ref_pic_m->n_ref_pic_marking];
-
READ_UE (nr, mem_mgmt_ctrl_op);
if (mem_mgmt_ctrl_op == 0)
break;
+ if (dec_ref_pic_m->n_ref_pic_marking >=
+ G_N_ELEMENTS (dec_ref_pic_m->ref_pic_marking))
+ goto error;
+
+ refpicmarking =
+ &dec_ref_pic_m->ref_pic_marking[dec_ref_pic_m->n_ref_pic_marking];
+
refpicmarking->memory_management_control_operation = mem_mgmt_ctrl_op;
if (mem_mgmt_ctrl_op == 1 || mem_mgmt_ctrl_op == 3)