h264_sei: check SEI size
authorMichael Niedermayer <michaelni@gmx.at>
Thu, 19 Sep 2013 14:26:25 +0000 (16:26 +0200)
committerVittorio Giovara <vittorio.giovara@gmail.com>
Fri, 1 Aug 2014 12:36:37 +0000 (13:36 +0100)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
Signed-off-by: Vittorio Giovara <vittorio.giovara@gmail.com>
libavcodec/h264_sei.c

index 2e5fb65..5995a8e 100644 (file)
@@ -177,6 +177,12 @@ int ff_h264_decode_sei(H264Context *h){
             size+= show_bits(&s->gb, 8);
         }while(get_bits(&s->gb, 8) == 255);
 
+        if (size > get_bits_left(&s->gb) / 8) {
+            av_log(s->avctx, AV_LOG_ERROR, "SEI type %d truncated at %d\n",
+                   type, get_bits_left(&s->gb));
+            return AVERROR_INVALIDDATA;
+        }
+
         switch(type){
         case SEI_TYPE_PIC_TIMING: // Picture timing SEI
             if(decode_picture_timing(h) < 0)