[FFmpeg-cvslog] avcodec/h264: Setup decoder to have matching reference to the EC code

Michael Niedermayer git at videolan.org
Sun Feb 8 02:29:44 CET 2015


ffmpeg | branch: master | Michael Niedermayer <michaelni at gmx.at> | Sun Feb  8 01:59:16 2015 +0100| [de6df46120367b7d49d9d7c0971cbe36368b840a] | committer: Michael Niedermayer

avcodec/h264: Setup decoder to have matching reference to the EC code

Also move EC ref initialization to where the EC code is called.
Fixes out of array read
Fixes: asan_heap-uaf_143f420_142_20110805_112659_ch0.mkv

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni at gmx.at>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=de6df46120367b7d49d9d7c0971cbe36368b840a
---

 libavcodec/h264_picture.c |   18 ++++++++++++++++++
 libavcodec/h264_slice.c   |    9 ---------
 2 files changed, 18 insertions(+), 9 deletions(-)

diff --git a/libavcodec/h264_picture.c b/libavcodec/h264_picture.c
index b6bdae4..30ac65c 100644
--- a/libavcodec/h264_picture.c
+++ b/libavcodec/h264_picture.c
@@ -197,8 +197,26 @@ int ff_h264_field_end(H264Context *h, int in_setup)
      * causes problems for the first MB line, too.
      */
     if (!FIELD_PICTURE(h) && h->current_slice && !h->sps.new) {
+        int use_last_pic = h->last_pic_for_ec.f.buf[0] && !h->ref_count[0];
+
         ff_h264_set_erpic(&h->er.cur_pic, h->cur_pic_ptr);
+
+        if (use_last_pic) {
+            ff_h264_set_erpic(&h->er.last_pic, &h->last_pic_for_ec);
+            COPY_PICTURE(&h->ref_list[0][0], &h->last_pic_for_ec);
+        } else if (h->ref_count[0]) {
+            ff_h264_set_erpic(&h->er.last_pic, &h->ref_list[0][0]);
+        } else
+            ff_h264_set_erpic(&h->er.last_pic, NULL);
+
+        if (h->ref_count[1])
+            ff_h264_set_erpic(&h->er.next_pic, &h->ref_list[1][0]);
+
+        h->er.ref_count = h->ref_count[0];
+
         ff_er_frame_end(&h->er);
+        if (use_last_pic)
+            memset(&h->ref_list[0][0], 0, sizeof(h->last_pic_for_ec));
     }
 #endif /* CONFIG_ERROR_RESILIENCE */
 
diff --git a/libavcodec/h264_slice.c b/libavcodec/h264_slice.c
index 05a6ccf..316a9ef 100644
--- a/libavcodec/h264_slice.c
+++ b/libavcodec/h264_slice.c
@@ -1986,15 +1986,6 @@ int ff_h264_decode_slice_header(H264Context *h, H264Context *h0)
                              (h->ref_list[j][i].reference & 3);
     }
 
-    if (h->ref_count[0]) {
-        ff_h264_set_erpic(&h->er.last_pic, &h->ref_list[0][0]);
-    } else if (h->last_pic_for_ec.f.buf[0]) {
-        ff_h264_set_erpic(&h->er.last_pic, &h->last_pic_for_ec);
-    }
-
-    if (h->ref_count[1]) ff_h264_set_erpic(&h->er.next_pic, &h->ref_list[1][0]);
-
-    h->er.ref_count = h->ref_count[0];
     h0->au_pps_id = pps_id;
     h->sps.new =
     h0->sps_buffers[h->pps.sps_id]->new = 0;



More information about the ffmpeg-cvslog mailing list