From: Michael Niedermayer <michael@niedermayer.cc>
Date: Tue, 24 Nov 2015 20:12:37 +0000 (+0100)
Subject: avcodec/h264_slice: Limit max_contexts when slice_context_count is initialized
X-Git-Tag: archive/raspbian/6%11.12-1_deb8u8+rpi1^2~44
X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=94dbbfe9ed25f59d3727bb56fe478bff6c0ed477;p=libav.git

avcodec/h264_slice: Limit max_contexts when slice_context_count is initialized

avcodec/h264_slice: Limit max_contexts when slice_context_count is initialized

Fixes out of array access
Fixes: 1430e9c43fae47a24c179c7c54f94918/signal_sigsegv_421427_2049_f2192b6829ab6e0eefcb035329c03c60.264

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>

Gbp-Pq: Name CVE-2015-8661.patch
---

diff --git a/libavcodec/h264_slice.c b/libavcodec/h264_slice.c
index 84a82e9..a59ca3d 100644
--- a/libavcodec/h264_slice.c
+++ b/libavcodec/h264_slice.c
@@ -1118,6 +1118,7 @@ static int h264_slice_header_init(H264Context *h, int reinit)
         nb_slices = max_slices;
     }
     h->slice_context_count = nb_slices;
+    h->max_contexts = FFMIN(h->max_contexts, nb_slices);
 
     if (!HAVE_THREADS || !(h->avctx->active_thread_type & FF_THREAD_SLICE)) {
         ret = ff_h264_context_init(h);