h264: check for out of bounds reads in ff_h264_decode_extradata().

Signed-off-by: Anton Khirnov <anton@khirnov.net>

diff --git a/libavcodec/h264.c b/libavcodec/h264.c
index 9889224..e5d0ed8 100644 (file)
--- a/libavcodec/h264.c
+++ b/libavcodec/h264.c
@@ -1005,6 +1005,8 @@ int ff_h264_decode_extradata(H264Context *h)
         p += 6;
         for (i = 0; i < cnt; i++) {
             nalsize = AV_RB16(p) + 2;
+            if (p - avctx->extradata + nalsize > avctx->extradata_size)
+                return -1;
             if(decode_nal_units(h, p, nalsize) < 0) {
                 av_log(avctx, AV_LOG_ERROR, "Decoding sps %d from avcC failed\n", i);
                 return -1;
@@ -1015,6 +1017,8 @@ int ff_h264_decode_extradata(H264Context *h)
         cnt = *(p++); // Number of pps
         for (i = 0; i < cnt; i++) {
             nalsize = AV_RB16(p) + 2;
+            if (p - avctx->extradata + nalsize > avctx->extradata_size)
+                return -1;
             if (decode_nal_units(h, p, nalsize) < 0) {
                 av_log(avctx, AV_LOG_ERROR, "Decoding pps %d from avcC failed\n", i);
                 return -1;