diff --git a/libavcodec/h264_ps.c b/libavcodec/h264_ps.c index 4a5f66e184..8218e3a010 100644 --- a/libavcodec/h264_ps.c +++ b/libavcodec/h264_ps.c @@ -467,15 +467,22 @@ int ff_h264_decode_seq_parameter_set(GetBitContext *gb, AVCodecContext *avctx, sps->mb_height = get_ue_golomb(gb) + 1; sps->frame_mbs_only_flag = get_bits1(gb); + + if (sps->mb_height >= INT_MAX / 2) { + av_log(avctx, AV_LOG_ERROR, "height overflow\n"); + goto fail; + } + sps->mb_height *= 2 - sps->frame_mbs_only_flag; + if (!sps->frame_mbs_only_flag) sps->mb_aff = get_bits1(gb); else sps->mb_aff = 0; if ((unsigned)sps->mb_width >= INT_MAX / 16 || - (unsigned)sps->mb_height >= INT_MAX / (16 * (2 - sps->frame_mbs_only_flag)) || + (unsigned)sps->mb_height >= INT_MAX / 16 || av_image_check_size(16 * sps->mb_width, - 16 * sps->mb_height * (2 - sps->frame_mbs_only_flag), 0, avctx)) { + 16 * sps->mb_height, 0, avctx)) { av_log(avctx, AV_LOG_ERROR, "mb_width/height overflow\n"); goto fail; } @@ -494,7 +501,7 @@ int ff_h264_decode_seq_parameter_set(GetBitContext *gb, AVCodecContext *avctx, unsigned int crop_top = get_ue_golomb(gb); unsigned int crop_bottom = get_ue_golomb(gb); int width = 16 * sps->mb_width; - int height = 16 * sps->mb_height * (2 - sps->frame_mbs_only_flag); + int height = 16 * sps->mb_height; if (avctx->flags2 & AV_CODEC_FLAG2_IGNORE_CROP) { av_log(avctx, AV_LOG_DEBUG, "discarding sps cropping, original " diff --git a/libavcodec/h264_ps.h b/libavcodec/h264_ps.h index 9b9e295c83..51b6694b5f 100644 --- a/libavcodec/h264_ps.h +++ b/libavcodec/h264_ps.h @@ -56,7 +56,8 @@ typedef struct SPS { int ref_frame_count; ///< num_ref_frames int gaps_in_frame_num_allowed_flag; int mb_width; ///< pic_width_in_mbs_minus1 + 1 - int mb_height; ///< pic_height_in_map_units_minus1 + 1 + ///< (pic_height_in_map_units_minus1 + 1) * (2 - frame_mbs_only_flag) + int mb_height; int frame_mbs_only_flag; int mb_aff; ///< mb_adaptive_frame_field_flag int direct_8x8_inference_flag; diff --git a/libavcodec/h264_slice.c b/libavcodec/h264_slice.c index 25a5890aa8..1f2c06521e 100644 --- a/libavcodec/h264_slice.c +++ b/libavcodec/h264_slice.c @@ -1032,7 +1032,7 @@ static int h264_init_ps(H264Context *h, const H264SliceContext *sl, int first_sl h->ps.sps = (const SPS*)h->ps.sps_ref->data; if (h->mb_width != h->ps.sps->mb_width || - h->mb_height != h->ps.sps->mb_height * (2 - h->ps.sps->frame_mbs_only_flag) || + h->mb_height != h->ps.sps->mb_height || h->cur_bit_depth_luma != h->ps.sps->bit_depth_luma || h->cur_chroma_format_idc != h->ps.sps->chroma_format_idc ) @@ -1046,11 +1046,11 @@ static int h264_init_ps(H264Context *h, const H264SliceContext *sl, int first_sl must_reinit = (h->context_initialized && ( 16*sps->mb_width != h->avctx->coded_width - || 16*sps->mb_height * (2 - sps->frame_mbs_only_flag) != h->avctx->coded_height + || 16*sps->mb_height != h->avctx->coded_height || h->cur_bit_depth_luma != sps->bit_depth_luma || h->cur_chroma_format_idc != sps->chroma_format_idc || h->mb_width != sps->mb_width - || h->mb_height != sps->mb_height * (2 - sps->frame_mbs_only_flag) + || h->mb_height != sps->mb_height )); if (h->avctx->pix_fmt == AV_PIX_FMT_NONE || (non_j_pixfmt(h->avctx->pix_fmt) != non_j_pixfmt(get_pixel_format(h, 0)))) @@ -1065,7 +1065,7 @@ static int h264_init_ps(H264Context *h, const H264SliceContext *sl, int first_sl h->avctx->refs = sps->ref_frame_count; h->mb_width = sps->mb_width; - h->mb_height = sps->mb_height * (2 - sps->frame_mbs_only_flag); + h->mb_height = sps->mb_height; h->mb_num = h->mb_width * h->mb_height; h->mb_stride = h->mb_width + 1;