From: Jeff Downs <heydowns@borg.com>
Date: Fri, 14 Dec 2007 05:48:27 +0000 (+0000)
Subject: Actually return with an error condition if we're being asked to deal with too
X-Git-Tag: v0.5~6760
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=41f7e2d11d2dca23842ee89d530ca9fa15cec9d8;p=platform%2Fupstream%2Flibav.git

Actually return with an error condition if we're being asked to deal with too
many reference frames. Also check max num ref frames against our internal
ref buffer sizes.
Part of fix for roundup issue 281

Originally committed as revision 11215 to svn://svn.ffmpeg.org/ffmpeg/trunk
---

diff --git a/libavcodec/h264.c b/libavcodec/h264.c
index 822a20f..f34bf2c 100644
--- a/libavcodec/h264.c
+++ b/libavcodec/h264.c
@@ -7210,8 +7210,9 @@ static inline int decode_seq_parameter_set(H264Context *h){
     }
 
     tmp= get_ue_golomb(&s->gb);
-    if(tmp > MAX_PICTURE_COUNT-2){
+    if(tmp > MAX_PICTURE_COUNT-2 || tmp >= 32){
         av_log(h->s.avctx, AV_LOG_ERROR, "too many reference frames\n");
+        return -1;
     }
     sps->ref_frame_count= tmp;
     sps->gaps_in_frame_num_allowed_flag= get_bits1(&s->gb);