From e2dae1faa84ada5746ac2114de7eb68abd824131 Mon Sep 17 00:00:00 2001
From: Mike Scheutzow <mike.scheutzow@alcatel-lucent.com>
Date: Mon, 26 Sep 2011 10:57:53 -0400
Subject: [PATCH] Fix a buffer overflow in libx264 interface to x264 encoder.
 Previous code ignored the compressed buffer size passed in. This change
 returns as many complete NALs as can fit in the buffer, and logs an error
 message.

Signed-off-by: Mike Scheutzow <mike.scheutzow@alcatel-lucent.com>
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
---
 libavcodec/libx264.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/libavcodec/libx264.c b/libavcodec/libx264.c
index 8732672dbb..a0892061b6 100644
--- a/libavcodec/libx264.c
+++ b/libavcodec/libx264.c
@@ -96,9 +96,14 @@ static int encode_nals(AVCodecContext *ctx, uint8_t *buf, int size,
 
     /* Write the SEI as part of the first frame. */
     if (x4->sei_size > 0 && nnal > 0) {
+        if (x4->sei_size > size) {
+            av_log(ctx, AV_LOG_ERROR, "Error: nal buffer is too small\n");
+            return -1;
+        }
         memcpy(p, x4->sei, x4->sei_size);
         p += x4->sei_size;
         x4->sei_size = 0;
+        // why is x4->sei not freed?
     }
 
     for (i = 0; i < nnal; i++){
@@ -109,6 +114,11 @@ static int encode_nals(AVCodecContext *ctx, uint8_t *buf, int size,
             memcpy(x4->sei, nals[i].p_payload, nals[i].i_payload);
             continue;
         }
+        if (nals[i].i_payload > (size - (p - buf))) {
+            // return only complete nals which fit in buf
+            av_log(ctx, AV_LOG_ERROR, "Error: nal buffer is too small\n");
+            break;
+        }
         memcpy(p, nals[i].p_payload, nals[i].i_payload);
         p += nals[i].i_payload;
     }