X-Git-Url: https://git.sesse.net/?a=blobdiff_plain;f=libavcodec%2Fh264_cavlc.c;h=d82144e3c36ec5e9016e52d45bdda552bf446aa1;hb=c6db2e97dcd246234b958814450d3fd12a5c8c27;hp=5e6a20304a5649547eafb4f5c663fa2fe4522ace;hpb=2d62e06ff6a9f3dbd78136c1dc4a315a727c6f00;p=ffmpeg

diff --git a/libavcodec/h264_cavlc.c b/libavcodec/h264_cavlc.c
index 5e6a20304a5..d82144e3c36 100644
--- a/libavcodec/h264_cavlc.c
+++ b/libavcodec/h264_cavlc.c
@@ -714,8 +714,14 @@ int ff_h264_decode_mb_cavlc(const H264Context *h, H264SliceContext *sl)
     cbp = 0; /* avoid warning. FIXME: find a solution without slowing
                 down the code */
     if (sl->slice_type_nos != AV_PICTURE_TYPE_I) {
-        if (sl->mb_skip_run == -1)
-            sl->mb_skip_run = get_ue_golomb_long(&sl->gb);
+        if (sl->mb_skip_run == -1) {
+            unsigned mb_skip_run = get_ue_golomb_long(&sl->gb);
+            if (mb_skip_run > h->mb_num) {
+                av_log(h->avctx, AV_LOG_ERROR, "mb_skip_run %d is invalid\n", mb_skip_run);
+                return AVERROR_INVALIDDATA;
+            }
+            sl->mb_skip_run = mb_skip_run;
+        }
 
         if (sl->mb_skip_run--) {
             if (FRAME_MBAFF(h) && (sl->mb_y & 1) == 0) {