From b6c19c9c918aee09d28606df4fe0481f96bc3695 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michaelni@gmx.at>
Date: Thu, 15 Dec 2011 02:43:03 +0100
Subject: [PATCH] h264: check chroma_format_idc range. Fixes Ticket758 Bug
 found by: Diana Elena Muscalu

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 7fff64e00d886fde11d61958888c82b461cf99b9)

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
---
 libavcodec/h264_ps.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/libavcodec/h264_ps.c b/libavcodec/h264_ps.c
index 3184cadb21..f87957673d 100644
--- a/libavcodec/h264_ps.c
+++ b/libavcodec/h264_ps.c
@@ -347,6 +347,10 @@ int ff_h264_decode_seq_parameter_set(H264Context *h){
 
     if(sps->profile_idc >= 100){ //high profile
         sps->chroma_format_idc= get_ue_golomb_31(&s->gb);
+        if (sps->chroma_format_idc > 3U) {
+            av_log(h->s.avctx, AV_LOG_ERROR, "chroma_format_idc %d is illegal\n", sps->chroma_format_idc);
+            goto fail;
+        }
         if(sps->chroma_format_idc == 3)
             sps->residual_color_transform_flag = get_bits1(&s->gb);
         sps->bit_depth_luma   = get_ue_golomb(&s->gb) + 8;