From: Andrew Wesie <andrew@theori.io>
Date: Fri, 16 Oct 2020 11:29:02 +0000 (+0100)
Subject: [PATCH] codecparsers: h264parser: guard against ref_pic_markings overflow
X-Git-Tag: archive/raspbian/1.14.4-1+rvt+deb10u1^2~2
X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=ce3f2de2dd8fa3c19338051bf4b4cb82fcb4be1b;p=gst-plugins-bad1.0.git

[PATCH] codecparsers: h264parser: guard against ref_pic_markings overflow

Part-of: <https://gitlab.freedesktop.org/gstreamer/gst-plugins-bad/-/merge_requests/1703>

Gbp-Pq: Name 02_ref_pic_markings_overflow.patch
---

diff --git a/gst-libs/gst/codecparsers/gsth264parser.c b/gst-libs/gst/codecparsers/gsth264parser.c
index 73968db..b65b90f 100644
--- a/gst-libs/gst/codecparsers/gsth264parser.c
+++ b/gst-libs/gst/codecparsers/gsth264parser.c
@@ -712,13 +712,17 @@ gst_h264_slice_parse_dec_ref_pic_marking (GstH264SliceHdr * slice,
 
       dec_ref_pic_m->n_ref_pic_marking = 0;
       while (1) {
-        refpicmarking =
-            &dec_ref_pic_m->ref_pic_marking[dec_ref_pic_m->n_ref_pic_marking];
-
         READ_UE (nr, mem_mgmt_ctrl_op);
         if (mem_mgmt_ctrl_op == 0)
           break;
 
+        if (dec_ref_pic_m->n_ref_pic_marking >=
+            G_N_ELEMENTS (dec_ref_pic_m->ref_pic_marking))
+          goto error;
+
+        refpicmarking =
+            &dec_ref_pic_m->ref_pic_marking[dec_ref_pic_m->n_ref_pic_marking];
+
         refpicmarking->memory_management_control_operation = mem_mgmt_ctrl_op;
 
         if (mem_mgmt_ctrl_op == 1 || mem_mgmt_ctrl_op == 3)