From: Michael Niedermayer <michael@niedermayer.cc>
Date: Sat, 23 Mar 2019 19:55:08 +0000 (+0100)
Subject: avcodec/hevc: Avoid only partly skiping duplicate first slices
X-Git-Tag: archive/raspbian/6%11.12-1_deb8u9+rpi1^2~14
X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=316a20ef793cd3f790fed4141514d6a6891b716d;p=libav.git

avcodec/hevc: Avoid only partly skiping duplicate first slices

Fixes: NULL pointer dereference and out of array access
Fixes: 13871/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-5746167087890432
Fixes: 13845/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HEVC_fuzzer-5650370728034304

This also fixes the return code for explode mode

Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
Reviewed-by: James Almer <jamrial@gmail.com>
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

Gbp-Pq: Name CVE-2019-11338.patch
---

diff --git a/libavcodec/hevc.c b/libavcodec/hevc.c
index 21d437c..ad8c9e2 100644
--- a/libavcodec/hevc.c
+++ b/libavcodec/hevc.c
@@ -461,6 +461,11 @@ static int hls_slice_header(HEVCContext *s)
 
     // Coded parameters
     sh->first_slice_in_pic_flag = get_bits1(gb);
+    if (s->ref && sh->first_slice_in_pic_flag) {
+        av_log(s->avctx, AV_LOG_ERROR, "Two slices reporting being the first in the same frame.\n");
+        return 1; // This slice will be skiped later, do not corrupt state
+    }
+
     if ((IS_IDR(s) || IS_BLA(s)) && sh->first_slice_in_pic_flag) {
         s->seq_decode = (s->seq_decode + 1) & 0xff;
         s->max_ra     = INT_MAX;
@@ -2900,6 +2905,8 @@ static int hevc_decode_frame(AVCodecContext *avctx, void *data, int *got_output,
         ret = ff_hevc_output_frame(s, data, 1);
         if (ret < 0)
             return ret;
+        if (ret == 1)
+            return AVERROR_INVALIDDATA;
 
         *got_output = ret;
         return 0;