diff mbox series

[FFmpeg-devel,4/8] lavc/snow: only allocate mconly_picture for decoding

Message ID 20220323155720.20017-4-anton@khirnov.net
State New
Headers show
Series [FFmpeg-devel,1/8] lavc/avcodec: simplify codec id/type validity checking | expand

Checks

Context Check Description
yinshiyou/make_loongarch64 success Make finished
yinshiyou/make_fate_loongarch64 success Make fate finished
andriy/make_x86 success Make finished
andriy/make_fate_x86 success Make fate finished

Commit Message

Anton Khirnov March 23, 2022, 3:57 p.m. UTC 
It is not used in the encoder.
---
 libavcodec/snow.c | 19 +++++++++++--------
 1 file changed, 11 insertions(+), 8 deletions(-)

Comments

Michael Niedermayer March 24, 2022, 11:07 p.m. UTC | #1 
On Wed, Mar 23, 2022 at 04:57:16PM +0100, Anton Khirnov wrote:
> It is not used in the encoder.
> ---
>  libavcodec/snow.c | 19 +++++++++++--------
>  1 file changed, 11 insertions(+), 8 deletions(-)

this is segfaulting with some fuzzed file
==30657== Invalid read of size 8
==30657==    at 0x1157660: ??? (libavcodec/x86/videodsp.asm:340)
==30657==    by 0xE18591: emulated_edge_mc_avx2 (videodsp_init.c:268)
==30657==    by 0x10D8973: ff_snow_pred_block (snow.c:370)
==30657==    by 0xC0E7DA: add_yblock (snow.h:345)
==30657==    by 0xC0FE62: predict_slice_buffered (snowdec.c:78)
==30657==    by 0xC12CAD: decode_frame (snowdec.c:602)
==30657==    by 0x8BF99F: decode_simple_internal (decode.c:306)
==30657==    by 0x8C0650: decode_simple_receive_frame (decode.c:514)
==30657==    by 0x8C0756: decode_receive_frame_internal (decode.c:535)
==30657==    by 0x8C0A17: avcodec_send_packet (decode.c:603)
==30657==    by 0x25D6A5: decode (ffmpeg.c:2275)
==30657==    by 0x25DE2C: decode_video (ffmpeg.c:2400)
==30657==    by 0x25EEBC: process_input_packet (ffmpeg.c:2640)
==30657==    by 0x266A1E: process_input (ffmpeg.c:4494)
==30657==    by 0x266F12: transcode_step (ffmpeg.c:4634)
==30657==    by 0x26707A: transcode (ffmpeg.c:4688)
==30657==    by 0x267AEF: main (ffmpeg.c:4904)
==30657==  Address 0x0 is not stack'd, malloc'd or (recently) free'd

[...]
diff mbox series

Patch

diff --git a/libavcodec/snow.c b/libavcodec/snow.c
index 0a500695ce..1224b95491 100644
--- a/libavcodec/snow.c
+++ b/libavcodec/snow.c
@@ -513,20 +513,23 @@  int ff_snow_common_init_after_header(AVCodecContext *avctx) {
     int ret, emu_buf_size;
 
     if(!s->scratchbuf) {
-        if ((ret = ff_get_buffer(s->avctx, s->mconly_picture,
-                                 AV_GET_BUFFER_FLAG_REF)) < 0)
-            return ret;
+        if (av_codec_is_decoder(avctx->codec)) {
+            if ((ret = ff_get_buffer(s->avctx, s->mconly_picture,
+                                     AV_GET_BUFFER_FLAG_REF)) < 0)
+                return ret;
+
+            if (s->mconly_picture->format != avctx->pix_fmt) {
+                av_log(avctx, AV_LOG_ERROR, "pixel format changed\n");
+                return AVERROR_INVALIDDATA;
+            }
+        }
+
         emu_buf_size = FFMAX(s->mconly_picture->linesize[0], 2*avctx->width+256) * (2 * MB_SIZE + HTAPS_MAX - 1);
         if (!FF_ALLOCZ_TYPED_ARRAY(s->scratchbuf,      FFMAX(s->mconly_picture->linesize[0], 2*avctx->width+256) * 7 * MB_SIZE) ||
             !FF_ALLOCZ_TYPED_ARRAY(s->emu_edge_buffer, emu_buf_size))
             return AVERROR(ENOMEM);
     }
 
-    if(s->mconly_picture->format != avctx->pix_fmt) {
-        av_log(avctx, AV_LOG_ERROR, "pixel format changed\n");
-        return AVERROR_INVALIDDATA;
-    }
-
     for(plane_index=0; plane_index < s->nb_planes; plane_index++){
         int w= s->avctx->width;
         int h= s->avctx->height;