Check level_prefix a bit (this just checks the max our bitreader can handle,

as i did nt find a limit in the spec)
This should stop cavlc_decode_residual() on a zero bitstream

Originally committed as revision 22429 to svn://svn.ffmpeg.org/ffmpeg/trunk
This commit is contained in:
Michael Niedermayer 2010-03-10 09:55:03 +00:00
parent 83c2bc7abb
commit 9885284c22

View File

@ -431,8 +431,13 @@ static int decode_residual(H264Context *h, GetBitContext *gb, DCTELEM *block, in
level_code= prefix + get_bits(gb, 4); //part
}else{
level_code= 30 + get_bits(gb, prefix-3); //part
if(prefix>=16)
if(prefix>=16){
if(prefix > 25+3){
av_log(h->s.avctx, AV_LOG_ERROR, "Invalid level prefix\n");
return -1;
}
level_code += (1<<(prefix-3))-4096;
}
}
if(trailing_ones < 3) level_code += 2;