mirror of https://git.ffmpeg.org/ffmpeg.git
avc: fix memory errors when encoding invalid h264 codecdata
Signed-off-by: Ronald S. Bultje <rsbultje@gmail.com>
This commit is contained in:
parent
f1f6d3615f
commit
6c643e0705
|
@ -75,8 +75,11 @@ int ff_avc_parse_nal_units(AVIOContext *pb, const uint8_t *buf_in, int size)
|
||||||
|
|
||||||
size = 0;
|
size = 0;
|
||||||
nal_start = ff_avc_find_startcode(p, end);
|
nal_start = ff_avc_find_startcode(p, end);
|
||||||
while (nal_start < end) {
|
for (;;) {
|
||||||
while(!*(nal_start++));
|
while (nal_start < end && !*(nal_start++));
|
||||||
|
if (nal_start == end)
|
||||||
|
break;
|
||||||
|
|
||||||
nal_end = ff_avc_find_startcode(nal_start, end);
|
nal_end = ff_avc_find_startcode(nal_start, end);
|
||||||
avio_wb32(pb, nal_end - nal_start);
|
avio_wb32(pb, nal_end - nal_start);
|
||||||
avio_write(pb, nal_start, nal_end - nal_start);
|
avio_write(pb, nal_start, nal_end - nal_start);
|
||||||
|
@ -117,22 +120,26 @@ int ff_isom_write_avcc(AVIOContext *pb, const uint8_t *data, int len)
|
||||||
end = buf + len;
|
end = buf + len;
|
||||||
|
|
||||||
/* look for sps and pps */
|
/* look for sps and pps */
|
||||||
while (buf < end) {
|
while (end - buf > 4) {
|
||||||
unsigned int size;
|
uint32_t size;
|
||||||
uint8_t nal_type;
|
uint8_t nal_type;
|
||||||
size = AV_RB32(buf);
|
size = FFMIN(AV_RB32(buf), end - buf - 4);
|
||||||
nal_type = buf[4] & 0x1f;
|
buf += 4;
|
||||||
|
nal_type = buf[0] & 0x1f;
|
||||||
|
|
||||||
if (nal_type == 7) { /* SPS */
|
if (nal_type == 7) { /* SPS */
|
||||||
sps = buf + 4;
|
sps = buf;
|
||||||
sps_size = size;
|
sps_size = size;
|
||||||
} else if (nal_type == 8) { /* PPS */
|
} else if (nal_type == 8) { /* PPS */
|
||||||
pps = buf + 4;
|
pps = buf;
|
||||||
pps_size = size;
|
pps_size = size;
|
||||||
}
|
}
|
||||||
buf += size + 4;
|
|
||||||
|
buf += size;
|
||||||
}
|
}
|
||||||
assert(sps);
|
|
||||||
assert(pps);
|
if (!sps || !pps || sps_size < 4 || sps_size > UINT16_MAX || pps_size > UINT16_MAX)
|
||||||
|
return AVERROR_INVALIDDATA;
|
||||||
|
|
||||||
avio_w8(pb, 1); /* version */
|
avio_w8(pb, 1); /* version */
|
||||||
avio_w8(pb, sps[1]); /* profile */
|
avio_w8(pb, sps[1]); /* profile */
|
||||||
|
|
Loading…
Reference in New Issue