Really fix H264 packetizing: abort PacketizeAVC1() if computed size is too huge

diff --git a/modules/packetizer/h264.c b/modules/packetizer/h264.c
index dac5ecedee5a7b236b0c8a9abc4e20ba010dc570..aa68af06a7af126a449cc171d8056f71b8fd427d 100644 (file)
--- a/modules/packetizer/h264.c
+++ b/modules/packetizer/h264.c
@@ -447,22 +447,23 @@ static block_t *PacketizeAVC1( decoder_t *p_dec, block_t **pp_block )
             i_size = (i_size << 8) | (*p++);
         }
 
-        if( i_size > 0 && i_size < p_block->i_buffer )
+        if( i_size <= 0 ||
+            i_size >= ( p - p_block->p_buffer + p_block->i_buffer ) )
         {
-            block_t *p_part = nal_get_annexeb( p_dec, p, i_size );
-            if( !p_part )
-            {
-                block_Release( p_block );
-                return NULL;
-            }
-            p_part->i_dts = p_block->i_dts;
-            p_part->i_pts = p_block->i_pts;
+            msg_Err( p_dec, "Broken frame : size %d is too big", i_size );
+            break;
+        }
 
-            /* Parse the NAL */
-            if( ( p_pic = ParseNALBlock( p_dec, p_part ) ) )
-            {
-                block_ChainAppend( &p_ret, p_pic );
-            }
+        block_t *p_part = nal_get_annexeb( p_dec, p, i_size );
+        if( !p_part )
+            break;
+        p_part->i_dts = p_block->i_dts;
+        p_part->i_pts = p_block->i_pts;
+
+        /* Parse the NAL */
+        if( ( p_pic = ParseNALBlock( p_dec, p_part ) ) )
+        {
+            block_ChainAppend( &p_ret, p_pic );
         }
         p += i_size;
     }