Actually return with an error condition if we're being asked to deal with too

many reference frames. Also check max num ref frames against our internal
ref buffer sizes.
Part of fix for roundup issue 281

Originally committed as revision 11215 to svn://svn.ffmpeg.org/ffmpeg/trunk

diff --git a/libavcodec/h264.c b/libavcodec/h264.c
index 822a20f..f34bf2c 100644 (file)
--- a/libavcodec/h264.c
+++ b/libavcodec/h264.c
@@ -7210,8 +7210,9 @@ static inline int decode_seq_parameter_set(H264Context *h){
     }
 
     tmp= get_ue_golomb(&s->gb);
-    if(tmp > MAX_PICTURE_COUNT-2){
+    if(tmp > MAX_PICTURE_COUNT-2 || tmp >= 32){
         av_log(h->s.avctx, AV_LOG_ERROR, "too many reference frames\n");
+        return -1;
     }
     sps->ref_frame_count= tmp;
     sps->gaps_in_frame_num_allowed_flag= get_bits1(&s->gb);