From 7cf5345c17cdb80b4d47d2b0b78b8042f1d4cb9d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cartegnie?= <fcvlcdev@free.fr>
Date: Thu, 6 Jun 2024 15:06:15 +0700
Subject: [PATCH] packetizer: h264: check few values

---
 modules/packetizer/h264_slice.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/modules/packetizer/h264_slice.c b/modules/packetizer/h264_slice.c
index 2a8ddc3b24..8dda44591f 100644
--- a/modules/packetizer/h264_slice.c
+++ b/modules/packetizer/h264_slice.c
@@ -122,6 +122,8 @@ h264_slice_t * h264_decode_slice( const uint8_t *p_buffer, size_t i_buffer,
 
     /* slice_type */
     i_slice_type = bs_read_ue( &s );
+    if( i_slice_type > 9 )
+        goto error;
     p_slice->type = i_slice_type % 5;
 
     /* */
@@ -151,7 +153,11 @@ h264_slice_t * h264_decode_slice( const uint8_t *p_buffer, size_t i_buffer,
     }
 
     if( p_slice->i_nal_type == H264_NAL_SLICE_IDR )
+    {
         p_slice->i_idr_pic_id = bs_read_ue( &s );
+        if( p_slice->i_idr_pic_id > 65535 )
+            goto error;
+    }
 
     p_slice->i_pic_order_cnt_type = p_sps->i_pic_order_cnt_type;
     if( p_sps->i_pic_order_cnt_type == 0 )
@@ -268,6 +274,8 @@ h264_slice_t * h264_decode_slice( const uint8_t *p_buffer, size_t i_buffer,
             do
             {
                 mmco = bs_read_ue( &s );
+                if( mmco > 6 )
+                    goto error;
                 if( mmco == 1 || mmco == 3 )
                     bs_read_ue( &s ); /* diff_pics_minus1 */
                 if( mmco == 2 )