1. ffmpeg
  2. Commit 3646ef6f7c0c02dc6d2f393f9fd0f6ebcbf15b44
Browse code

avformat/h264dec: Check pps_id/sps_id fields from parameter sets

Fixes a misdetection in wav.detected.as.h264.error.wav

Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

Michael Niedermayer authored on 2016/05/05 04:20:15
Showing 1 changed files
libavformat/h264dec.c
History View file @ 3646ef6
... ... 
@@ -19,17 +19,26 @@
19 19 
  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
20 20 
  */
21 21
22 
+#include "libavcodec/get_bits.h"
23 
+#include "libavcodec/golomb.h"
22 24 
 #include "avformat.h"
23 25 
 #include "rawdec.h"
24 26 
 #include "libavcodec/internal.h"
25 27
28 
+#define MAX_SPS_COUNT          32
29 
+#define MAX_PPS_COUNT         256
30 
+
26 31 
 static int h264_probe(AVProbeData *p)
27 32 
 {
28 33 
     uint32_t code = -1;
29 34 
     int sps = 0, pps = 0, idr = 0, res = 0, sli = 0;
30 
-    int i;
35 
+    int i, ret;
36 
+    int pps_ids[MAX_PPS_COUNT+1] = {0};
37 
+    int sps_ids[MAX_SPS_COUNT+1] = {0};
38 
+    unsigned pps_id, sps_id;
39 
+    GetBitContext gb;
31 40
32 
-    for (i = 0; i < p->buf_size; i++) {
41 
+    for (i = 0; i + 2 < p->buf_size; i++) {
33 42 
         code = (code << 8) + p->buf[i];
34 43 
         if ((code & 0xffffff00) == 0x100) {
35 44 
             int ref_idc = (code >> 5) & 3;
... ... 
@@ -53,19 +62,48 @@ static int h264_probe(AVProbeData *p)
53 53 
                     res++;
54 54 
             }
55 55
56 
+            ret = init_get_bits8(&gb, p->buf + i + 1, p->buf_size - i - 1);
57 
+            if (ret < 0)
58 
+                return 0;
59 
+
56 60 
             switch (type) {
57 61 
             case 1:
58 
-                sli++;
59 
-                break;
60 62 
             case 5:
61 
-                idr++;
63 
+                get_ue_golomb_long(&gb);
64 
+                if (get_ue_golomb_31(&gb) > 9U)
65 
+                    return 0;
66 
+                pps_id = get_ue_golomb_long(&gb);
67 
+                if (pps_id > MAX_PPS_COUNT)
68 
+                    return 0;
69 
+                if (!pps_ids[pps_id])
70 
+                    break;
71 
+
72 
+                if (type == 1)
73 
+                    sli++;
74 
+                else
75 
+                    idr++;
62 76 
                 break;
63 77 
             case 7:
64 
-                if (p->buf[i + 2] & 0x03)
78 
+                skip_bits(&gb, 14);
79 
+                if (get_bits(&gb, 2))
80 
+                    return 0;
81 
+                skip_bits(&gb, 8);
82 
+                sps_id = get_ue_golomb_31(&gb);
83 
+                if (sps_id > MAX_SPS_COUNT)
65 84 
                     return 0;
85 
+                sps_ids[sps_id] = 1;
66 86 
                 sps++;
67 87 
                 break;
68 88 
             case 8:
89 
+                pps_id = get_ue_golomb_long(&gb);
90 
+                if (pps_id > MAX_PPS_COUNT)
91 
+                    return 0;
92 
+                sps_id = get_ue_golomb_31(&gb);
93 
+                if (sps_id > MAX_SPS_COUNT)
94 
+                    return 0;
95 
+                if (!sps_ids[sps_id])
96 
+                    break;
97 
+                pps_ids[pps_id] = 1;
69 98 
                 pps++;
70 99 
                 break;
71 100 
             }