h264: correct ref count check and limit, fix out of array accesses.
authorMichael Niedermayer <michaelni@gmx.at>
Sun, 18 Nov 2012 15:29:04 +0000 (16:29 +0100)
committerMichael Niedermayer <michaelni@gmx.at>
Mon, 3 Dec 2012 19:45:41 +0000 (20:45 +0100)
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit d6c184880ee2e09fd68c0ae217173832cee5afc1)

libavcodec/h264.c

index 713fda7..ec3afea 100644 (file)
@@ -2922,7 +2922,7 @@ static int decode_slice_header(H264Context *h, H264Context *h0)
                 h->ref_count[1] = get_ue_golomb(&s->gb) + 1;
             else
                 // full range is spec-ok in this case, even for frames
-                max[1] = 31;
+                h->ref_count[1] = 1;
         }
 
         if (h->ref_count[0]-1 > max[0] || h->ref_count[1]-1 > max[1]){