From 96fca586a4d2b5e03545733acde884326616bca8 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Rafa=C3=ABl=20Carr=C3=A9?= Date: Mon, 31 Mar 2008 09:37:58 +0200 Subject: [PATCH] Really fix H264 packetizing: abort PacketizeAVC1() if computed size is too huge --- modules/packetizer/h264.c | 29 +++++++++++++++-------------- 1 file changed, 15 insertions(+), 14 deletions(-) diff --git a/modules/packetizer/h264.c b/modules/packetizer/h264.c index dac5ecedee..aa68af06a7 100644 --- a/modules/packetizer/h264.c +++ b/modules/packetizer/h264.c @@ -447,22 +447,23 @@ static block_t *PacketizeAVC1( decoder_t *p_dec, block_t **pp_block ) i_size = (i_size << 8) | (*p++); } - if( i_size > 0 && i_size < p_block->i_buffer ) + if( i_size <= 0 || + i_size >= ( p - p_block->p_buffer + p_block->i_buffer ) ) { - block_t *p_part = nal_get_annexeb( p_dec, p, i_size ); - if( !p_part ) - { - block_Release( p_block ); - return NULL; - } - p_part->i_dts = p_block->i_dts; - p_part->i_pts = p_block->i_pts; + msg_Err( p_dec, "Broken frame : size %d is too big", i_size ); + break; + } - /* Parse the NAL */ - if( ( p_pic = ParseNALBlock( p_dec, p_part ) ) ) - { - block_ChainAppend( &p_ret, p_pic ); - } + block_t *p_part = nal_get_annexeb( p_dec, p, i_size ); + if( !p_part ) + break; + p_part->i_dts = p_block->i_dts; + p_part->i_pts = p_block->i_pts; + + /* Parse the NAL */ + if( ( p_pic = ParseNALBlock( p_dec, p_part ) ) ) + { + block_ChainAppend( &p_ret, p_pic ); } p += i_size; } -- 2.39.2