[FFmpeg-devel] [PATCH] mpeg4dec: Ensure data is not clobbered too early.
Reimar Döffinger
Reimar.Doeffinger at gmx.de
Thu Sep 19 01:13:02 CEST 2013
Avoid overwriting the bitstream buffer data before we
have ended processing the frame.
This is necessary to fix hwaccels which might try to use
the buffer during the end_frame call.
I am not sure but it is possible this could even trigger
a use-after-free if the av_fast_malloc allocated a new buffer.
This would require that decode_slice did not wind the bistream
forward all the way to the end, which does not happen in
normal streams.
Signed-off-by: Reimar Döffinger <Reimar.Doeffinger at gmx.de>
---
libavcodec/h263dec.c | 21 ++++++++++-----------
1 file changed, 10 insertions(+), 11 deletions(-)
diff --git a/libavcodec/h263dec.c b/libavcodec/h263dec.c
index 7dfcf1d..521e2eb 100644
--- a/libavcodec/h263dec.c
+++ b/libavcodec/h263dec.c
@@ -675,7 +675,7 @@ retry:
if (CONFIG_WMV2_DECODER && s->msmpeg4_version==5){
ret = ff_wmv2_decode_secondary_picture_header(s);
if(ret<0) return ret;
- if(ret==1) goto intrax8_decoded;
+ if(ret==1) goto frame_end;
}
/* decode each macroblock */
@@ -708,6 +708,15 @@ retry:
av_assert1(s->bitstream_buffer_size==0);
frame_end:
+ ff_er_frame_end(&s->er);
+
+ if (avctx->hwaccel) {
+ if ((ret = avctx->hwaccel->end_frame(avctx)) < 0)
+ return ret;
+ }
+
+ ff_MPV_frame_end(s);
+
/* divx 5.01+ bitstream reorder stuff */
if(s->codec_id==AV_CODEC_ID_MPEG4 && s->divx_packed){
int current_pos= s->gb.buffer == s->bitstream_buffer ? 0 : (get_bits_count(&s->gb)>>3);
@@ -735,16 +744,6 @@ frame_end:
}
}
-intrax8_decoded:
- ff_er_frame_end(&s->er);
-
- if (avctx->hwaccel) {
- if ((ret = avctx->hwaccel->end_frame(avctx)) < 0)
- return ret;
- }
-
- ff_MPV_frame_end(s);
-
if (!s->divx_packed && avctx->hwaccel)
ff_thread_finish_setup(avctx);
--
1.8.4.rc3
More information about the ffmpeg-devel
mailing list