h264dec: handle zero-sized NAL units in get_last_needed_nal()

The current code will ignore the init_get_bits() failure and do an
invalid read from the uninitialized GetBitContext.

BUG=690184

Change-Id: I2e075ac19f1e5d99f2c1c57f844dea0275c93bcd
Found-By: Jan Ruge <jan.s.ruge at gmail.com>
Bug-Id: 952
Reviewed-on: https://chromium-review.googlesource.com/441113
Reviewed-by: Fredrik Hubinette <hubbe@chromium.org>
diff --git a/libavcodec/h264dec.c b/libavcodec/h264dec.c
index 072996b..858e9cd 100644
--- a/libavcodec/h264dec.c
+++ b/libavcodec/h264dec.c
@@ -535,8 +535,7 @@
 {
     int nals_needed = 0;
     int first_slice = 0;
-    int i;
-    int ret;
+    int i, ret;
 
     for (i = 0; i < h->pkt.nb_nals; i++) {
         H2645NAL *nal = &h->pkt.nals[i];
@@ -554,9 +553,14 @@
         case H264_NAL_DPA:
         case H264_NAL_IDR_SLICE:
         case H264_NAL_SLICE:
-            ret = init_get_bits8(&gb, nal->data + 1, (nal->size - 1));
-            if (ret < 0)
-                return ret;
+            ret = init_get_bits8(&gb, nal->data + 1, nal->size - 1);
+            if (ret < 0) {
+                av_log(h->avctx, AV_LOG_ERROR, "Invalid zero-sized VCL NAL unit\n");
+                if (h->avctx->err_recognition & AV_EF_EXPLODE)
+                    return ret;
+
+                break;
+            }
             if (!get_ue_golomb_long(&gb) ||  // first_mb_in_slice
                 !first_slice ||
                 first_slice != nal->type)
@@ -668,8 +672,11 @@
         case H264_NAL_SLICE:
             h->has_slice = 1;
 
-            if ((err = ff_h264_queue_decode_slice(h, nal)))
+            if ((err = ff_h264_queue_decode_slice(h, nal))) {
+                H264SliceContext *sl = h->slice_ctx + h->nb_slice_ctx_queued;
+                sl->ref_count[0] = sl->ref_count[1] = 0;
                 break;
+            }
 
             if (h->current_slice == 1) {
                 if (avctx->active_thread_type & FF_THREAD_FRAME && !h->avctx->hwaccel &&