avcodec/h264_slice: Limit max_contexts when slice_context_count is initialized

avcodec/h264_slice: Limit max_contexts when slice_context_count is initialized

Fixes out of array access
Fixes: 1430e9c43fae47a24c179c7c54f94918/signal_sigsegv_421427_2049_f2192b6829ab6e0eefcb035329c03c60.264
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
Gbp-Pq: Name CVE-2015-8661.patch

diff --git a/libavcodec/h264_slice.c b/libavcodec/h264_slice.c
index 84a82e9cf32af884fa91cd8a93f3f280e7cab927..a59ca3d0ee7e36d6e93017c0e2a010a885ce6594 100644 (file)
--- a/libavcodec/h264_slice.c
+++ b/libavcodec/h264_slice.c
@@ -1118,6 +1118,7 @@ static int h264_slice_header_init(H264Context *h, int reinit)
         nb_slices = max_slices;
     }
     h->slice_context_count = nb_slices;
+    h->max_contexts = FFMIN(h->max_contexts, nb_slices);
 
     if (!HAVE_THREADS || !(h->avctx->active_thread_type & FF_THREAD_SLICE)) {
         ret = ff_h264_context_init(h);