From 60b6b8c019723bdb3227e1476d706c7989bb94bf Mon Sep 17 00:00:00 2001 From: Janne Grunau Date: Thu, 15 Nov 2012 22:03:58 +0100 Subject: [PATCH 1/3] h264: always check ref_count for validity Fixes a crash with zuffed files. --- libavcodec/h264.c | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index 8648a8d90b..08957da904 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -2356,7 +2356,7 @@ static int decode_slice_header(H264Context *h, H264Context *h0) MpegEncContext *const s0 = &h0->s; unsigned int first_mb_in_slice; unsigned int pps_id; - int num_ref_idx_active_override_flag; + int num_ref_idx_active_override_flag, max_refs; unsigned int slice_type, tmp, i, j; int default_ref_list_done = 0; int last_pic_structure, last_pic_dropable; @@ -2835,8 +2835,6 @@ static int decode_slice_header(H264Context *h, H264Context *h0) h->ref_count[1] = h->pps.ref_count[1]; if (h->slice_type_nos != AV_PICTURE_TYPE_I) { - int max_refs = s->picture_structure == PICT_FRAME ? 16 : 32; - if (h->slice_type_nos == AV_PICTURE_TYPE_B) h->direct_spatial_mv_pred = get_bits1(&s->gb); num_ref_idx_active_override_flag = get_bits1(&s->gb); @@ -2847,12 +2845,6 @@ static int decode_slice_header(H264Context *h, H264Context *h0) h->ref_count[1] = get_ue_golomb(&s->gb) + 1; } - if (h->ref_count[0] > max_refs || h->ref_count[1] > max_refs) { - av_log(h->s.avctx, AV_LOG_ERROR, "reference overflow\n"); - h->ref_count[0] = h->ref_count[1] = 1; - return AVERROR_INVALIDDATA; - } - if (h->slice_type_nos == AV_PICTURE_TYPE_B) h->list_count = 2; else @@ -2860,6 +2852,14 @@ static int decode_slice_header(H264Context *h, H264Context *h0) } else h->list_count = 0; + max_refs = s->picture_structure == PICT_FRAME ? 16 : 32; + + if (h->ref_count[0] > max_refs || h->ref_count[1] > max_refs) { + av_log(h->s.avctx, AV_LOG_ERROR, "reference overflow\n"); + h->ref_count[0] = h->ref_count[1] = 1; + return AVERROR_INVALIDDATA; + } + if (!default_ref_list_done) ff_h264_fill_default_ref_list(h); From e6160bda98641b7d4f86de15761ad2a962f21a36 Mon Sep 17 00:00:00 2001 From: Janne Grunau Date: Thu, 15 Nov 2012 16:21:41 +0100 Subject: [PATCH 2/3] h264: Fix parameters to ff_er_add_slice() call s->mb_x is reset to zero a couple of lines above. It does not make sense to call ff_er_add_slice() with 0 as endx when the end of the macroblock row was reached. Fixes unnecessary and counterproductive error resilience in https://bugzilla.libav.org/show_bug.cgi?id=394. CC: libav-stable@libav.org --- libavcodec/h264.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libavcodec/h264.c b/libavcodec/h264.c index 08957da904..f45c572a41 100644 --- a/libavcodec/h264.c +++ b/libavcodec/h264.c @@ -3567,7 +3567,7 @@ static int decode_slice(struct AVCodecContext *avctx, void *arg) return 0; } else { ff_er_add_slice(s, s->resync_mb_x, s->resync_mb_y, - s->mb_x, s->mb_y, + s->mb_x - 1, s->mb_y, ER_MB_END & part_mask); return -1; From 8f5587c3d0bc4b5f075e4282215bda91a21fc12e Mon Sep 17 00:00:00 2001 From: Janne Grunau Date: Fri, 16 Nov 2012 14:55:08 +0100 Subject: [PATCH 3/3] cpu.h: define AV_CPU_FLAG_MMX2 for libavutil major 52 --- libavutil/cpu.h | 2 +- libavutil/version.h | 3 +++ 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/libavutil/cpu.h b/libavutil/cpu.h index 01f7201a5e..4929512c66 100644 --- a/libavutil/cpu.h +++ b/libavutil/cpu.h @@ -28,7 +28,7 @@ /* lower 16 bits - CPU features */ #define AV_CPU_FLAG_MMX 0x0001 ///< standard MMX #define AV_CPU_FLAG_MMXEXT 0x0002 ///< SSE integer functions or AMD MMX ext -#if LIBAVUTIL_VERSION_MAJOR < 52 +#if FF_API_CPU_FLAG_MMX2 #define AV_CPU_FLAG_MMX2 0x0002 ///< SSE integer functions or AMD MMX ext #endif #define AV_CPU_FLAG_3DNOW 0x0004 ///< AMD 3DNOW diff --git a/libavutil/version.h b/libavutil/version.h index 6f79eeba21..f69c73e929 100644 --- a/libavutil/version.h +++ b/libavutil/version.h @@ -76,6 +76,9 @@ #ifndef FF_API_AUDIOCONVERT #define FF_API_AUDIOCONVERT (LIBAVUTIL_VERSION_MAJOR < 53) #endif +#ifndef FF_API_CPU_FLAG_MMX2 +#define FF_API_CPU_FLAG_MMX2 (LIBAVUTIL_VERSION_MAJOR < 53) +#endif /** * @}