[FFmpeg-cvslog] avcodec/mpegvideo_dec: Don't zero context on init failure

Andreas Rheinhardt git at videolan.org
Thu Oct 5 23:04:51 EEST 2023

ffmpeg | branch: master | Andreas Rheinhardt <andreas.rheinhardt at outlook.com> | Sun Oct  1 18:23:23 2023 +0200| [d86f7603cf32e9a64d9cdf20b1fe390093652fbe] | committer: Andreas Rheinhardt

avcodec/mpegvideo_dec: Don't zero context on init failure

Up until now, ff_mpeg_update_thread_context() zeroes
the context to initialize on initialization failure.
This has been added in e1d7d4bd13cdd8856a3611d1ea387ac733a7aebf.

Just as now, ff_mpeg_update_thread_context() simply
copied the src MpegEncContext over the dst MpegEncContext
to initialize it, but clear_context() was only added in
b160fc290cf49b516c5b6ee0730fd9da7fc623b1, so that cleaning up
on init failure was a minefield if performed.

It was not always performed, namely not before the first
allocation needed to be freed. In the fuzzer sample that
led to e1d7d4bd13cdd8856a3611d1ea387ac733a7aebf, the call
to av_image_check_size() failed and before said commit,
the context contained lots of pointers from the src context,
leading to assert violations lateron.

Of course, the proper fix for this is resetting the pointers
(or even better, not copying them in the first place), so
this zeroing is unnecessary since commit
b160fc290cf49b516c5b6ee0730fd9da7fc623b1. It is also harmful,
because it makes initializing something only once during init
more complicated; See the h264chroma handling in the diff
for an example. Therefore it is removed.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt at outlook.com>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=d86f7603cf32e9a64d9cdf20b1fe390093652fbe

 libavcodec/mpegvideo_dec.c | 9 +++------
 1 file changed, 3 insertions(+), 6 deletions(-)

diff --git a/libavcodec/mpegvideo_dec.c b/libavcodec/mpegvideo_dec.c
index f9fccff518..452650b487 100644
--- a/libavcodec/mpegvideo_dec.c
+++ b/libavcodec/mpegvideo_dec.c
@@ -76,6 +76,8 @@ int ff_mpeg_update_thread_context(AVCodecContext *dst,
         int err;
         memcpy(s, s1, sizeof(*s));
+        s->context_initialized   = 0;
+        s->context_reinit        = 0;
         s->avctx                 = dst;
         s->private_ctx           = private_ctx;
         s->bitstream_buffer      = NULL;
@@ -83,13 +85,8 @@ int ff_mpeg_update_thread_context(AVCodecContext *dst,
         if (s1->context_initialized) {
-            if ((err = ff_mpv_common_init(s)) < 0) {
-                memset(s, 0, sizeof(*s));
-                s->avctx = dst;
-                s->private_ctx = private_ctx;
-                memcpy(&s->h264chroma, &s1->h264chroma, sizeof(s->h264chroma));
+            if ((err = ff_mpv_common_init(s)) < 0)
                 return err;
-            }

More information about the ffmpeg-cvslog mailing list