From 45da7a0e8f271b32202424358393aa249a939028 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michaelni@gmx.at>
Date: Sun, 21 Jul 2013 16:38:47 +0200
Subject: avcodec/ff_h264_decode_sei: Check SEI size

Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
---
 libavcodec/h264_sei.c | 5 +++++
 1 file changed, 5 insertions(+)

(limited to 'libavcodec/h264_sei.c')

diff --git a/libavcodec/h264_sei.c b/libavcodec/h264_sei.c
index 3003080..5e4321f 100644
--- a/libavcodec/h264_sei.c
+++ b/libavcodec/h264_sei.c
@@ -264,6 +264,11 @@ int ff_h264_decode_sei(H264Context *h){
         if(h->avctx->debug&FF_DEBUG_STARTCODE)
             av_log(h->avctx, AV_LOG_DEBUG, "SEI %d len:%d\n", type, size);
 
+        if (size > get_bits_left(&h->gb) / 8) {
+            av_log(h->avctx, AV_LOG_ERROR, "SEI truncated\n");
+            return AVERROR_INVALIDDATA;
+        }
+
         switch(type){
         case SEI_TYPE_PIC_TIMING: // Picture timing SEI
             if(decode_picture_timing(h) < 0)
-- 
cgit v1.1