[FFmpeg-devel] [PATCH] Fix segv when decoding gray8

Baptiste Coudurier baptiste.coudurier
Thu Jun 3 23:34:47 CEST 2010 

On 06/03/2010 02:22 PM, Michael Niedermayer wrote:
> On Thu, Jun 03, 2010 at 01:57:22PM -0700, Baptiste Coudurier wrote:
>> On 06/03/2010 01:48 PM, Michael Niedermayer wrote:
>>> On Thu, Jun 03, 2010 at 12:11:41PM -0700, Baptiste Coudurier wrote:
>>>> On 06/03/2010 03:36 AM, Michael Niedermayer wrote:
>>>>> On Wed, Jun 02, 2010 at 06:39:26PM -0700, Baptiste Coudurier wrote:
>>>>>> Hi guys,
>>>>>>
>>>>>> $subject.
>>>>>>
>>>>>> frame->data[1] is set by avpicture_fill which is called with buf passed
>>>>>> from the demuxer.
>>>>>> However, for gray8 the data stored is only width*height, so is too
>>>>>> small
>>>>>> for the palette, and will segv, memcpying.
>>>>>>
>>>>>> I'm not sure what is the right fix here, buf is supposed to be const.
>>>>>
>>>>> as this case can only arrise from use of deprecated (and buggy) palette
>>>>> passing API, the correct (long term goal) is to change all codecs so
>>>>> they
>>>>> finally stop using this highly unpredictable race condition ridden api.
>>>>> until then, your patch may be ok
>>>>
>>>> I don't think this is related to the API.
>>>>
>>>> You cannot generate the palette for gray8 (according to pixfmt.h)
>>>> _anyway_
>>>> since the data buffer is not big enough, since it comes from the demuxer
>>>> itself.
>>>> So either, the picture needs to be copied and the palette generated, or
>>>> we
>>>> skip the palette generation.
>>>
>>> maybe iam missing something but why cant  data[1] that contains the
>>> palette
>>> point to some pal[256] from the context while data[0] would point to the
>>> buffer that originates from the demuxer?
>>
>> Yes, that should be ok assuming there is instructions about only freeing
>> data[0], this is what avpicture_free does, but it seems not documented
>> anywhere.
>
> maybe iam silly but i dont think the frames returned by the raw decoder are
> freed by avpicture_free() but rather by av_free_packet() or in
> raw_close_decoder()

How is the user supposed to free the AVFrame given by the decoder ?

* @param[out] picture
       The AVFrame in which the decoded video frame will be stored.
       Use avcodec_alloc_frame to get an AVFrame, the codec will
       allocate memory for the actual bitmap.

-- 
Baptiste COUDURIER
Key fingerprint                 8D77134D20CC9220201FC5DB0AC9325C5C1ABAAA
FFmpeg maintainer                                  http://www.ffmpeg.org

More information about the ffmpeg-devel mailing list