[FFmpeg-devel] [PATCH] avcodec/hevcdec: slice decoder, fix crash for thread_number > 16

Sat Nov 28 17:55:39 EET 2020

following comandline will crash the ffmpeg
ffmpeg -threads 17 -thread_type slice -i WPP_A_ericsson_MAIN_2.bit out.yuv -y

the HEVCContext->sList size is MAX_NB_THREADS(16), any > 16 thread number will crash the application
---
 libavcodec/hevcdec.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/libavcodec/hevcdec.c b/libavcodec/hevcdec.c
index 699c13bbcc..e1dae150d5 100644
--- a/libavcodec/hevcdec.c
+++ b/libavcodec/hevcdec.c
@@ -3406,7 +3406,7 @@ static av_cold int hevc_decode_free(AVCodecContext *avctx)
     av_freep(&s->sh.offset);
     av_freep(&s->sh.size);
 
-    for (i = 1; i < s->threads_number; i++) {
+    for (i = 1; i < FFMIN(s->threads_number, MAX_NB_THREADS); i++) {
         HEVCLocalContext *lc = s->HEVClcList[i];
         if (lc) {
             av_freep(&s->HEVClcList[i]);
@@ -3608,6 +3608,11 @@ static av_cold int hevc_decode_init(AVCodecContext *avctx)
             s->threads_type = FF_THREAD_FRAME;
         else
             s->threads_type = FF_THREAD_SLICE;
+    if (s->threads_type == FF_THREAD_SLICE && s->threads_number > MAX_NB_THREADS) {
+        av_log(s->avctx, AV_LOG_ERROR, "thread number > %d is not supported.\n", MAX_NB_THREADS);
+        hevc_decode_free(avctx);
+        return AVERROR(EINVAL);
+    }
 
     return 0;
 }
-- 
2.25.1

