From 41f7e2d11d2dca23842ee89d530ca9fa15cec9d8 Mon Sep 17 00:00:00 2001 From: Jeff Downs Date: Fri, 14 Dec 2007 05:48:27 +0000 Subject: [PATCH] Actually return with an error condition if we're being asked to deal with too many reference frames. Also check max num ref frames against our internal ref buffer sizes. Part of fix for roundup issue 281 Originally committed as revision 11215 to svn://svn.ffmpeg.org/ffmpeg/trunk --- libavcodec/h264.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index 822a20f..f34bf2c 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -7210,8 +7210,9 @@ static inline int decode_seq_parameter_set(H264Context *h){ } tmp= get_ue_golomb(&s->gb); - if(tmp > MAX_PICTURE_COUNT-2){ + if(tmp > MAX_PICTURE_COUNT-2 || tmp >= 32){ av_log(h->s.avctx, AV_LOG_ERROR, "too many reference frames\n"); + return -1; } sps->ref_frame_count= tmp; sps->gaps_in_frame_num_allowed_flag= get_bits1(&s->gb); -- 2.7.4