h->display_orientation.present = 0;
h->afd.present = 0;
- h->a53_caption.a53_caption_size = 0;
- av_freep(&h->a53_caption.a53_caption);
+ av_buffer_unref(&h->a53_caption.buf_ref);
}
static int decode_picture_timing(H264SEIPictureTiming *h, GetBitContext *gb,
size -= 2;
if (cc_count && size >= cc_count * 3) {
- const uint64_t new_size = (h->a53_caption_size + cc_count
+ int old_size = h->buf_ref ? h->buf_ref->size : 0;
+ const uint64_t new_size = (old_size + cc_count
* UINT64_C(3));
int i, ret;
return AVERROR(EINVAL);
/* Allow merging of the cc data from two fields. */
- ret = av_reallocp(&h->a53_caption, new_size);
+ ret = av_buffer_realloc(&h->buf_ref, new_size);
if (ret < 0)
return ret;
+ /* Use of av_buffer_realloc assumes buffer is writeable */
for (i = 0; i < cc_count; i++) {
- h->a53_caption[h->a53_caption_size++] = get_bits(gb, 8);
- h->a53_caption[h->a53_caption_size++] = get_bits(gb, 8);
- h->a53_caption[h->a53_caption_size++] = get_bits(gb, 8);
+ h->buf_ref->data[old_size++] = get_bits(gb, 8);
+ h->buf_ref->data[old_size++] = get_bits(gb, 8);
+ h->buf_ref->data[old_size++] = get_bits(gb, 8);
}
skip_bits(gb, 8); // marker_bits
return 0;
}
-static int decode_recovery_point(H264SEIRecoveryPoint *h, GetBitContext *gb)
+static int decode_recovery_point(H264SEIRecoveryPoint *h, GetBitContext *gb, void *logctx)
{
- h->recovery_frame_cnt = get_ue_golomb_long(gb);
+ unsigned recovery_frame_cnt = get_ue_golomb_long(gb);
+ if (recovery_frame_cnt >= (1<<MAX_LOG2_MAX_FRAME_NUM)) {
+ av_log(logctx, AV_LOG_ERROR, "recovery_frame_cnt %u is out of range\n", recovery_frame_cnt);
+ return AVERROR_INVALIDDATA;
+ }
+
+ h->recovery_frame_cnt = recovery_frame_cnt;
/* 1b exact_match_flag,
* 1b broken_link_flag,
* 2b changing_slice_group_idc */
ret = decode_unregistered_user_data(&h->unregistered, gb, logctx, size);
break;
case H264_SEI_TYPE_RECOVERY_POINT:
- ret = decode_recovery_point(&h->recovery_point, gb);
+ ret = decode_recovery_point(&h->recovery_point, gb, logctx);
break;
case H264_SEI_TYPE_BUFFERING_PERIOD:
ret = decode_buffering_period(&h->buffering_period, gb, ps, logctx);