# HG changeset patch
# User benoit
# Date 1273475337 0
# Node ID 9a4c9c165b3b3c0bc8c58cc0537bca43169d744a
# Parent  79a98585aa2dfa1a29f3ca2bc25ca73c3d873c56
Check NAL unit size to avoid reading past the buffer.
This fixes issue1907

Patch by Thomas Devanneaux gmail(thomdev)

diff -r 79a98585aa2d -r 9a4c9c165b3b h264_mp4toannexb_bsf.c
--- a/h264_mp4toannexb_bsf.c	Sun May 09 23:04:06 2010 +0000
+++ b/h264_mp4toannexb_bsf.c	Mon May 10 07:08:57 2010 +0000
@@ -55,7 +55,9 @@
                                    int keyframe) {
     H264BSFContext *ctx = bsfc->priv_data;
     uint8_t unit_type;
-    uint32_t nal_size, cumul_size = 0;
+    int32_t nal_size;
+    uint32_t cumul_size = 0;
+    const uint8_t *buf_end = buf + buf_size;
 
     /* nothing to filter */
     if (!avctx->extradata || avctx->extradata_size < 6) {
@@ -109,6 +111,9 @@
     *poutbuf_size = 0;
     *poutbuf = NULL;
     do {
+        if (buf + ctx->length_size > buf_end)
+            goto fail;
+
         if (ctx->length_size == 1)
             nal_size = buf[0];
         else if (ctx->length_size == 2)
@@ -119,6 +124,9 @@
         buf += ctx->length_size;
         unit_type = *buf & 0x1f;
 
+        if (buf + nal_size > buf_end || nal_size < 0)
+            goto fail;
+
         /* prepend only to the first type 5 NAL unit of an IDR picture */
         if (ctx->first_idr && unit_type == 5) {
             alloc_and_copy(poutbuf, poutbuf_size,
@@ -139,6 +147,11 @@
     } while (cumul_size < buf_size);
 
     return 1;
+
+fail:
+    av_freep(poutbuf);
+    *poutbuf_size = 0;
+    return AVERROR(EINVAL);
 }
 
 static void h264_mp4toannexb_close(AVBitStreamFilterContext *bsfc)