From 46b2fa1ec0cbd00c4fd3909665608d79760654d0 Mon Sep 17 00:00:00 2001 From: Dale Curtis Date: Tue, 5 Aug 2025 21:45:19 +0000 Subject: [PATCH] Make ff_h264_build_ref_list stricter with AV_EF_EXPLODE Don't silently skip errors when AV_EF_EXPLODE is specified. This can lead to out-of-bound reads with ff_put_h264_chroma_mc4_ssse3() when small padding is used with the checked bitstream reader. Signed-off-by: Dale Curtis --- libavcodec/h264_refs.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/libavcodec/h264_refs.c b/libavcodec/h264_refs.c index 74840e5909..e6e3adf502 100644 --- a/libavcodec/h264_refs.c +++ b/libavcodec/h264_refs.c @@ -370,6 +370,9 @@ int ff_h264_build_ref_list(H264Context *h, H264SliceContext *sl) i < 0 ? "reference picture missing during reorder\n" : "mismatching reference\n" ); + if (h->avctx->err_recognition & AV_EF_EXPLODE) { + return AVERROR_INVALIDDATA; + } memset(&sl->ref_list[list][index], 0, sizeof(sl->ref_list[0][0])); // FIXME } else { for (i = index; i + 1 < sl->ref_count[list]; i++) { @@ -392,6 +395,10 @@ int ff_h264_build_ref_list(H264Context *h, H264SliceContext *sl) for (int index = 0; index < sl->ref_count[list]; index++) { if ( !sl->ref_list[list][index].parent || (!FIELD_PICTURE(h) && (sl->ref_list[list][index].reference&3) != 3)) { + if (h->avctx->err_recognition & AV_EF_EXPLODE) { + av_log(h->avctx, AV_LOG_ERROR, "Missing reference picture\n"); + return AVERROR_INVALIDDATA; + } av_log(h->avctx, AV_LOG_ERROR, "Missing reference picture, default is %d\n", h->default_ref[list].poc); for (int i = 0; i < FF_ARRAY_ELEMS(h->last_pocs); i++) -- 2.50.1.565.gc32cd1483b-goog