h264dec: handle zero-sized NAL units in get_last_needed_nal()

The current code will ignore the init_get_bits() failure and do an
invalid read from the uninitialized GetBitContext.

Found-By: Jan Ruge <jan.s.ruge@gmail.com>
Bug-Id: 952

Gbp-Pq: Name CVE-2017-1000460.patch

diff --git a/libavcodec/h264.c b/libavcodec/h264.c
index e9236e918483c43bdadb48b35338f07e6ba7bf41..415704fef4c62c372b69384cba57ce7ecc7112a4 100644 (file)
--- a/libavcodec/h264.c
+++ b/libavcodec/h264.c
@@ -1364,6 +1364,7 @@ static int get_last_needed_nal(H264Context *h, const uint8_t *buf, int buf_size)
     int nal_index   = 0;
     int buf_index   = 0;
     int nals_needed = 0;
+    int ret         = 0;
 
     while(1) {
         int nalsize = 0;
@@ -1405,7 +1406,14 @@ static int get_last_needed_nal(H264Context *h, const uint8_t *buf, int buf_size)
         case NAL_DPA:
         case NAL_IDR_SLICE:
         case NAL_SLICE:
-            init_get_bits(&h->gb, ptr, bit_length);
+            ret = init_get_bits8(&h->gb, ptr, bit_length);
+            if (ret < 0) {
+                av_log(h->avctx, AV_LOG_ERROR, "Invalid zero-sized VCL NAL unit\n");
+                if (h->avctx->err_recognition & AV_EF_EXPLODE)
+                    return ret;
+
+                break;
+            }
             if (!get_ue_golomb(&h->gb))
                 nals_needed = nal_index;
         }