From 828137904e4b386572a9254b255b361444a750fe Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andreas=20=C3=96man?= <andreas@lonelycoder.com>
Date: Wed, 18 May 2011 11:43:18 +0200
Subject: [PATCH] Avoid SPS and PPS id array out of bounds in h264 parser

Fixes ticket #467
---
 src/parser_h264.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/src/parser_h264.c b/src/parser_h264.c
index c77fc2d1..07bed03b 100644
--- a/src/parser_h264.c
+++ b/src/parser_h264.c
@@ -239,6 +239,8 @@ h264_decode_seq_parameter_set(elementary_stream_t *st, bitstream_t *bs)
   level_idc= read_bits(bs, 8);
   sps_id= read_golomb_ue(bs);
 
+  if(sps_id > 255)
+    return -1;
 
   i = 0;
   while(h264_lev2cpbsize[i][0] != -1) {
@@ -337,7 +339,12 @@ h264_decode_pic_parameter_set(elementary_stream_t *st, bitstream_t *bs)
     p = st->es_priv = calloc(1, sizeof(h264_private_t));
   
   pps_id = read_golomb_ue(bs);
+  if(pps_id > 255)
+    return 0;
   sps_id = read_golomb_ue(bs);
+  if(sps_id > 255)
+    return -1;
+
   p->pps[pps_id].sps = sps_id;
   return 0;
 }
@@ -374,6 +381,9 @@ h264_decode_slice_header(elementary_stream_t *st, bitstream_t *bs, int *pkttype,
   }
 
   pps_id = read_golomb_ue(bs);
+  if(pps_id > 255)
+    return -1;
+
   sps_id = p->pps[pps_id].sps;
   if(p->sps[sps_id].max_frame_num_bits == 0)
     return -1;