[FFmpeg-devel] A patch to fix buffer overflow when decoding h264

Antti Nietosvaara antti
Fri May 28 14:10:12 CEST 2010

Michael Niedermayer wrote:
> On Wed, May 26, 2010 at 03:34:38PM +0300, Antti Nietosvaara wrote:
>> I was experiencing crashes when decoding certain h264 videos (unfortunately 
>> it is quite hard to extract the problematic stream for replication, since 
>> its in proprietary DVR format).
>> It seems that s->mb_height can change in decode_slice_header after 
>> alloc_tables has been called for the current context, which causes 
>> overflows later. Hopefully this behaviour can be confirmed without a sample 
>> stream.
>> I have attached a patch that reallocates the tables if mb_width or 
>> mb_height change.
> what is changing mb_height without changing height?
> [...]
> ------------------------------------------------------------------------
> _______________________________________________
> ffmpeg-devel mailing list
> ffmpeg-devel at mplayerhq.hu
> https://lists.mplayerhq.hu/mailman/listinfo/ffmpeg-devel
I dug a little deeper and I may have found a reason for the crash on our 
software. Before decompressing the frame I set AVCodecContext's width 
and height to values that the frame should have been compressed to. This 
seems to end up crashing the program later on.
I suppose altering AVCodecContext::width and height outside libavcodec 
is not using the library as intended, and as such, this patch is 
probably useless.
If you are interested in replicating the crash anyway, I could slap 
together a small C program that does just that.

Antti Nietosvaara
Turun Turvatekniikka Oy

More information about the ffmpeg-devel mailing list