[FFmpeg-cvslog] avcodec/ffv1: seperate slice_count from max_slice_count
Michael Niedermayer
git at videolan.org
Fri Oct 9 22:50:05 CEST 2015
ffmpeg | branch: release/2.3 | Michael Niedermayer <michael at niedermayer.cc> | Thu Sep 24 23:49:30 2015 +0200| [e2f0443af082508c335b6d44c2c7dcef0f6a868f] | committer: Carl Eugen Hoyos
avcodec/ffv1: seperate slice_count from max_slice_count
Fix segfault with too large slice_count
Fixes Ticket4879
Signed-off-by: Michael Niedermayer <michael at niedermayer.cc>
(cherry picked from commit aa6c43f3fdec8a7518534b9dab20c9eb4be11568)
Conflicts:
libavcodec/ffv1enc.c
libavcodec/ffv1.c
> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=e2f0443af082508c335b6d44c2c7dcef0f6a868f
---
libavcodec/ffv1.c | 14 +++++++-------
libavcodec/ffv1.h | 1 +
libavcodec/ffv1dec.c | 8 +++++---
libavcodec/ffv1enc.c | 4 +++-
4 files changed, 16 insertions(+), 11 deletions(-)
diff --git a/libavcodec/ffv1.c b/libavcodec/ffv1.c
index ab58a60..6073bc4 100644
--- a/libavcodec/ffv1.c
+++ b/libavcodec/ffv1.c
@@ -101,7 +101,7 @@ av_cold int ffv1_init_slice_state(FFV1Context *f, FFV1Context *fs)
av_cold int ffv1_init_slices_state(FFV1Context *f)
{
int i, ret;
- for (i = 0; i < f->slice_count; i++) {
+ for (i = 0; i < f->max_slice_count; i++) {
FFV1Context *fs = f->slice_context[i];
if ((ret = ffv1_init_slice_state(f, fs)) < 0)
return AVERROR(ENOMEM);
@@ -113,10 +113,10 @@ av_cold int ffv1_init_slice_contexts(FFV1Context *f)
{
int i;
- f->slice_count = f->num_h_slices * f->num_v_slices;
- av_assert0(f->slice_count > 0);
+ f->max_slice_count = f->num_h_slices * f->num_v_slices;
+ av_assert0(f->max_slice_count > 0);
- for (i = 0; i < f->slice_count; i++) {
+ for (i = 0; i < f->max_slice_count; i++) {
FFV1Context *fs = av_mallocz(sizeof(*fs));
int sx = i % f->num_h_slices;
int sy = i / f->num_h_slices;
@@ -201,7 +201,7 @@ av_cold int ffv1_close(AVCodecContext *avctx)
ff_thread_release_buffer(avctx, &s->last_picture);
av_frame_free(&s->last_picture.f);
- for (j = 0; j < s->slice_count; j++) {
+ for (j = 0; j < s->max_slice_count; j++) {
FFV1Context *fs = s->slice_context[j];
for (i = 0; i < s->plane_count; i++) {
PlaneContext *p = &fs->plane[i];
@@ -215,14 +215,14 @@ av_cold int ffv1_close(AVCodecContext *avctx)
av_freep(&avctx->stats_out);
for (j = 0; j < s->quant_table_count; j++) {
av_freep(&s->initial_states[j]);
- for (i = 0; i < s->slice_count; i++) {
+ for (i = 0; i < s->max_slice_count; i++) {
FFV1Context *sf = s->slice_context[i];
av_freep(&sf->rc_stat2[j]);
}
av_freep(&s->rc_stat2[j]);
}
- for (i = 0; i < s->slice_count; i++)
+ for (i = 0; i < s->max_slice_count; i++)
av_freep(&s->slice_context[i]);
return 0;
diff --git a/libavcodec/ffv1.h b/libavcodec/ffv1.h
index 5081397..cc354c3 100644
--- a/libavcodec/ffv1.h
+++ b/libavcodec/ffv1.h
@@ -117,6 +117,7 @@ typedef struct FFV1Context {
struct FFV1Context *slice_context[MAX_SLICES];
int slice_count;
+ int max_slice_count;
int num_v_slices;
int num_h_slices;
int slice_width;
diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c
index b10e212..f50bb5d 100644
--- a/libavcodec/ffv1dec.c
+++ b/libavcodec/ffv1dec.c
@@ -758,6 +758,7 @@ static int read_header(FFV1Context *f)
av_log(f->avctx, AV_LOG_ERROR, "read_quant_table error\n");
return AVERROR_INVALIDDATA;
}
+ f->slice_count = f->max_slice_count;
} else if (f->version < 3) {
f->slice_count = get_symbol(c, state, 0);
} else {
@@ -772,8 +773,8 @@ static int read_header(FFV1Context *f)
p -= size + trailer;
}
}
- if (f->slice_count > (unsigned)MAX_SLICES || f->slice_count <= 0) {
- av_log(f->avctx, AV_LOG_ERROR, "slice count %d is invalid\n", f->slice_count);
+ if (f->slice_count > (unsigned)MAX_SLICES || f->slice_count <= 0 || f->slice_count > f->max_slice_count) {
+ av_log(f->avctx, AV_LOG_ERROR, "slice count %d is invalid (max=%d)\n", f->slice_count, f->max_slice_count);
return AVERROR_INVALIDDATA;
}
@@ -996,6 +997,7 @@ static int init_thread_copy(AVCodecContext *avctx)
f->picture.f = NULL;
f->last_picture.f = NULL;
f->sample_buffer = NULL;
+ f->max_slice_count = 0;
f->slice_count = 0;
for (i = 0; i < f->quant_table_count; i++) {
@@ -1066,7 +1068,7 @@ static int update_thread_context(AVCodecContext *dst, const AVCodecContext *src)
av_assert0(!fdst->sample_buffer);
}
- av_assert1(fdst->slice_count == fsrc->slice_count);
+ av_assert1(fdst->max_slice_count == fsrc->max_slice_count);
ff_thread_release_buffer(dst, &fdst->picture);
diff --git a/libavcodec/ffv1enc.c b/libavcodec/ffv1enc.c
index b63ed42..a289ff3 100644
--- a/libavcodec/ffv1enc.c
+++ b/libavcodec/ffv1enc.c
@@ -955,6 +955,7 @@ slices_ok:
if ((ret = ffv1_init_slice_contexts(s)) < 0)
return ret;
+ s->slice_count = s->max_slice_count;
if ((ret = ffv1_init_slices_state(s)) < 0)
return ret;
@@ -964,7 +965,7 @@ slices_ok:
if (!avctx->stats_out)
return AVERROR(ENOMEM);
for (i = 0; i < s->quant_table_count; i++)
- for (j = 0; j < s->slice_count; j++) {
+ for (j = 0; j < s->max_slice_count; j++) {
FFV1Context *sf = s->slice_context[j];
av_assert0(!sf->rc_stat2[i]);
sf->rc_stat2[i] = av_mallocz(s->context_count[i] *
@@ -1188,6 +1189,7 @@ static int encode_frame(AVCodecContext *avctx, AVPacket *pkt,
for (i = 0; i < f->quant_table_count; i++)
memset(f->rc_stat2[i], 0, f->context_count[i] * sizeof(*f->rc_stat2[i]));
+ av_assert0(f->slice_count == f->max_slice_count);
for (j = 0; j < f->slice_count; j++) {
FFV1Context *fs = f->slice_context[j];
for (i = 0; i < 256; i++) {
More information about the ffmpeg-cvslog
mailing list