highperfocused/ffmpeg
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

h264: call alloc_scratch_buffers() only once linesize is known

Browse Source 
Fixes out of array accesses

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This commit is contained in:
Michael Niedermayer
2013-02-20 17:25:04 +01:00
parent 9b9d996b34
commit 039f55c803
1 changed files with 9 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
libavcodec/h264.c
View File

@@ -1615,14 +1615,6 @@ static int decode_update_thread_context(AVCodecContext *dst,
h->low_delay = h1->low_delay; h->low_delay = h1->low_delay;
h->droppable = h1->droppable; h->droppable = h1->droppable;
/* frame_start may not be called for the next thread (if it's decoding
* a bottom field) so this has to be allocated here */
if (h1->linesize) {
err = alloc_scratch_buffers(h, h1->linesize);
if (err < 0)
return err;
}
// extradata/NAL handling // extradata/NAL handling
h->is_avc = h1->is_avc; h->is_avc = h1->is_avc;
@@ -1747,15 +1739,6 @@ int ff_h264_frame_start(H264Context *h)
h->block_offset[48 + 32 + i] = (4 * ((scan8[i] - scan8[0]) & 7) << pixel_shift) + 8 * h->uvlinesize * ((scan8[i] - scan8[0]) >> 3); h->block_offset[48 + 32 + i] = (4 * ((scan8[i] - scan8[0]) & 7) << pixel_shift) + 8 * h->uvlinesize * ((scan8[i] - scan8[0]) >> 3);
} }
/* can't be in alloc_tables because linesize isn't known there.
* FIXME: redo bipred weight to not require extra buffer? */
for (i = 0; i < h->slice_context_count; i++)
if (h->thread_context[i]) {
ret = alloc_scratch_buffers(h->thread_context[i], h->linesize);
if (ret < 0)
return ret;
}
/* Some macroblocks can be accessed before they're available in case /* Some macroblocks can be accessed before they're available in case
* of lost slices, MBAFF or threading. */ * of lost slices, MBAFF or threading. */
memset(h->slice_table, -1, memset(h->slice_table, -1,
@@ -3465,6 +3448,15 @@ static int decode_slice_header(H264Context *h, H264Context *h0)
if (h != h0 && (ret = clone_slice(h, h0)) < 0) if (h != h0 && (ret = clone_slice(h, h0)) < 0)
return ret; return ret;
/* can't be in alloc_tables because linesize isn't known there.
* FIXME: redo bipred weight to not require extra buffer? */
for (i = 0; i < h->slice_context_count; i++)
if (h->thread_context[i]) {
ret = alloc_scratch_buffers(h->thread_context[i], h->linesize);
if (ret < 0)
return ret;
}
h->cur_pic_ptr->frame_num = h->frame_num; // FIXME frame_num cleanup h->cur_pic_ptr->frame_num = h->frame_num; // FIXME frame_num cleanup
av_assert1(h->mb_num == h->mb_width * h->mb_height); av_assert1(h->mb_num == h->mb_width * h->mb_height);