X-Git-Url: https://git.sesse.net/?a=blobdiff_plain;f=libavcodec%2Fh264_ps.c;h=7648e2c7a60a3fee7abdc60ea069cf20215c4136;hb=ed99e54d67bd5fa05423cb60c53453e7c27e5742;hp=3fc3442854917dcec75b2b7dc2abcff0e1bf440e;hpb=889fce8e306f15a223d13f8c0dbb211ec4b52fd0;p=ffmpeg

diff --git a/libavcodec/h264_ps.c b/libavcodec/h264_ps.c
index 3fc34428549..7648e2c7a60 100644
--- a/libavcodec/h264_ps.c
+++ b/libavcodec/h264_ps.c
@@ -20,7 +20,7 @@
  */
 
 /**
- * @file libavcodec/h264_ps.c
+ * @file
  * H.264 / AVC / MPEG4 part10 parameter set decoding.
  * @author Michael Niedermayer <michaelni@gmx.at>
  */
@@ -176,7 +176,7 @@ static inline int decode_vui_parameters(H264Context *h, SPS *sps){
     if(sps->timing_info_present_flag){
         sps->num_units_in_tick = get_bits_long(&s->gb, 32);
         sps->time_scale = get_bits_long(&s->gb, 32);
-        if(sps->num_units_in_tick-1 > 0x7FFFFFFEU || sps->time_scale-1 > 0x7FFFFFFEU){
+        if(!sps->num_units_in_tick || !sps->time_scale){
             av_log(h->s.avctx, AV_LOG_ERROR, "time_scale/num_units_in_tick invalid or unsupported (%d/%d)\n", sps->time_scale, sps->num_units_in_tick);
             return -1;
         }
@@ -205,6 +205,12 @@ static inline int decode_vui_parameters(H264Context *h, SPS *sps){
         sps->num_reorder_frames= get_ue_golomb(&s->gb);
         get_ue_golomb(&s->gb); /*max_dec_frame_buffering*/
 
+        if(s->gb.size_in_bits < get_bits_count(&s->gb)){
+            av_log(h->s.avctx, AV_LOG_ERROR, "Overread VUI by %d bits\n", get_bits_count(&s->gb) - s->gb.size_in_bits);
+            sps->num_reorder_frames=0;
+            sps->bitstream_restriction_flag= 0;
+        }
+
         if(sps->num_reorder_frames > 16U /*max_dec_frame_buffering || max_dec_frame_buffering > 16*/){
             av_log(h->s.avctx, AV_LOG_ERROR, "illegal num_reorder_frames %d\n", sps->num_reorder_frames);
             return -1;
@@ -347,6 +353,10 @@ int ff_h264_decode_seq_parameter_set(H264Context *h){
         sps->mb_aff= 0;
 
     sps->direct_8x8_inference_flag= get_bits1(&s->gb);
+    if(!sps->frame_mbs_only_flag && !sps->direct_8x8_inference_flag){
+        av_log(h->s.avctx, AV_LOG_ERROR, "This stream was generated by a broken encoder, invalid 8x8 inference\n");
+        goto fail;
+    }
 
 #ifndef ALLOW_INTERLACE
     if(sps->mb_aff)
@@ -501,7 +511,7 @@ int ff_h264_decode_picture_parameter_set(H264Context *h, int bit_length){
     build_qp_table(pps, 0, pps->chroma_qp_index_offset[0]);
     build_qp_table(pps, 1, pps->chroma_qp_index_offset[1]);
     if(pps->chroma_qp_index_offset[0] != pps->chroma_qp_index_offset[1])
-        h->pps.chroma_qp_diff= 1;
+        pps->chroma_qp_diff= 1;
 
     if(s->avctx->debug&FF_DEBUG_PICT_INFO){
         av_log(h->s.avctx, AV_LOG_DEBUG, "pps:%u sps:%u %s slice_groups:%d ref:%d/%d %s qp:%d/%d/%d/%d %s %s %s %s\n",