From: Anton Khirnov <anton@khirnov.net>
Date: Wed, 20 Jul 2016 06:31:38 +0000 (+0200)
Subject: h264dec: handle zero-sized NAL units in get_last_needed_nal()
X-Git-Tag: archive/raspbian/6%11.12-1_deb8u6+rpi1^2~1
X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=8393402cd7a5efd739d7d8e65a2605eaea20c3ac;p=libav.git

h264dec: handle zero-sized NAL units in get_last_needed_nal()

The current code will ignore the init_get_bits() failure and do an
invalid read from the uninitialized GetBitContext.

Found-By: Jan Ruge <jan.s.ruge@gmail.com>
Bug-Id: 952

Gbp-Pq: Name CVE-2017-1000460.patch
---

diff --git a/libavcodec/h264.c b/libavcodec/h264.c
index e9236e9..415704f 100644
--- a/libavcodec/h264.c
+++ b/libavcodec/h264.c
@@ -1364,6 +1364,7 @@ static int get_last_needed_nal(H264Context *h, const uint8_t *buf, int buf_size)
     int nal_index   = 0;
     int buf_index   = 0;
     int nals_needed = 0;
+    int ret         = 0;
 
     while(1) {
         int nalsize = 0;
@@ -1405,7 +1406,14 @@ static int get_last_needed_nal(H264Context *h, const uint8_t *buf, int buf_size)
         case NAL_DPA:
         case NAL_IDR_SLICE:
         case NAL_SLICE:
-            init_get_bits(&h->gb, ptr, bit_length);
+            ret = init_get_bits8(&h->gb, ptr, bit_length);
+            if (ret < 0) {
+                av_log(h->avctx, AV_LOG_ERROR, "Invalid zero-sized VCL NAL unit\n");
+                if (h->avctx->err_recognition & AV_EF_EXPLODE)
+                    return ret;
+
+                break;
+            }
             if (!get_ue_golomb(&h->gb))
                 nals_needed = nal_index;
         }