Avoid OOB reads in nal parsing.

BUG=112670
Review URL: https://chromiumcodereview.appspot.com/9340008

git-svn-id: http://src.chromium.org/svn/trunk/deps/third_party/ffmpeg/source@120671 4ff67af0-8c30-449e-8e8b-ad334ec8d88c
diff --git a/patched-ffmpeg/libavcodec/h264.c b/patched-ffmpeg/libavcodec/h264.c
index 835b29d..8a6d25a 100644
--- a/patched-ffmpeg/libavcodec/h264.c
+++ b/patched-ffmpeg/libavcodec/h264.c
@@ -988,12 +988,13 @@
     AVCodecContext *avctx = h->s.avctx;
 
     if(avctx->extradata[0] == 1){
-        int i, cnt, nalsize;
+        int i, cnt, nalsize, size_left;
         unsigned char *p = avctx->extradata;
+        size_left = avctx->extradata_size;
 
         h->is_avc = 1;
 
-        if(avctx->extradata_size < 7) {
+        if(size_left < 7) {
             av_log(avctx, AV_LOG_ERROR, "avcC too short\n");
             return -1;
         }
@@ -1003,23 +1004,47 @@
         // Decode sps from avcC
         cnt = *(p+5) & 0x1f; // Number of sps
         p += 6;
+        size_left -= 6;
         for (i = 0; i < cnt; i++) {
+            if (size_left < 2) {
+                av_log(avctx, AV_LOG_ERROR, "Cannot read sps nalsize\n");
+                return -1;
+            }
             nalsize = AV_RB16(p) + 2;
+            if (size_left < nalsize) {
+                av_log(avctx, AV_LOG_ERROR, "sps nalsize too big\n");
+                return -1;
+            }
             if(decode_nal_units(h, p, nalsize) < 0) {
                 av_log(avctx, AV_LOG_ERROR, "Decoding sps %d from avcC failed\n", i);
                 return -1;
             }
             p += nalsize;
+            size_left -= nalsize;
         }
         // Decode pps from avcC
+        if(!size_left) {
+            av_log(avctx, AV_LOG_ERROR, "Cannot read pps count\n");
+            return -1;
+        }
         cnt = *(p++); // Number of pps
+        --size_left;
         for (i = 0; i < cnt; i++) {
+            if (size_left < 2) {
+                av_log(avctx, AV_LOG_ERROR, "Cannot read pps nalsize\n");
+                return -1;
+            }
             nalsize = AV_RB16(p) + 2;
+            if (size_left < nalsize) {
+                av_log(avctx, AV_LOG_ERROR, "pps nalsize too big\n");
+                return -1;
+            }
             if (decode_nal_units(h, p, nalsize) < 0) {
                 av_log(avctx, AV_LOG_ERROR, "Decoding pps %d from avcC failed\n", i);
                 return -1;
             }
             p += nalsize;
+            size_left -= nalsize;
         }
         // Now store right nal length size, that will be use to parse all other nals
         h->nal_length_size = (avctx->extradata[4] & 0x03) + 1;