From patchwork Thu Jul 19 15:57:25 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Peter Bennett <pb.mythtv@gmail.com>
X-Patchwork-Id: 9763
Delivered-To: ffmpegpatchwork@gmail.com
Received: by 2002:a02:104:0:0:0:0:0 with SMTP id c4-v6csp1862518jad;
	Thu, 19 Jul 2018 09:04:52 -0700 (PDT)
X-Google-Smtp-Source: 
 AAOMgpfP63zV2MdEePi/kfaWs27tdg0yo7wvqe6x6sNne8DAauWftdGhjczYr9f6zIGJ3d13a/UF
X-Received: by 2002:a1c:6d41:: with SMTP id
	i62-v6mr4439373wmc.25.1532016292854;
	Thu, 19 Jul 2018 09:04:52 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1532016292; cv=none;
	d=google.com; s=arc-20160816;
	b=sXb5sTlmIRvkOd+3zpI5NxGud0ZnhFeDmGLLp9YGFl1ptb+z/g9ynTZ1a4XqrgJ2j1
	3Yh7F1iAhxHKb3xXi2ievqPv4XI8xrcb64QCXy5sAfsWiwJr+38bpfAh48DjBv36gxDW
	J9Tu6fDfCPK/jDTAdpmWAwqtZqFHlaZBsrcSjzgFVBtS7ppNO2wQnZ+Ff/fulkvGSJVR
	DewV3DTHvKyjYHFwVUlWzrkXWv/bBAkhuaRuVYmwDup1cfn5R1/d6RZDNNNl1vyxrcUq
	r95HeVjloJeUGEabfDbmjle4PvdTOU9Fk93p1PPkCwWyMRqtwQAsqW49+PbIUUwxDHsF
	aZ5A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
	s=arc-20160816;
	h=sender:errors-to:content-transfer-encoding:mime-version:cc:reply-to
	:list-subscribe:list-help:list-post:list-archive:list-unsubscribe
	:list-id:precedence:subject:message-id:date:to:from:dkim-signature
	:delivered-to:arc-authentication-results;
	bh=cQ3aDWuRKwEwL8Z8uz/6wZmODI6K8/yesS+VuOgUnEw=;
	b=LWVOYF3RG0yVcq5SsD4dUMqf4OFwWULc2FthGFKGObFDDj1bRXHkWh1o2Pb4Wx9HSc
	Wfa9q55lcbmhF4xJxdaVE09hJQJbqVA6jW9zyAW7BhD5PNU2Mpq3uM3oSa9NJlDqM2Fl
	Vf2m+KiiZJ0BF7C0CHOJut2ZaBT7mSwdN24gDXNdi2Z2y1ol1Khz3sC1mxJJI5/AB6HU
	dKJ8EsRVDDQZ/4rTslSINr2waW+euwIDQf9Vghh4759bl3Z7Q1Kgaum8WiGRjjjJukbs
	kA0dMiZ8JWxAm1sySf0KXOzORB25x6Ep6JDMo5djqbvTlvKqy7+jju7xRZSzuFdSmh7K
	tqkA==
ARC-Authentication-Results: i=1; mx.google.com;
	dkim=neutral (body hash did not verify) header.i=@gmail.com
	header.s=20161025 header.b=P4uFy8eC;
	spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
	designates 79.124.17.100 as permitted sender)
	smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org;
	dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org. [79.124.17.100])
	by mx.google.com with ESMTP id
	s6-v6si5367206wrq.151.2018.07.19.09.04.52;
	Thu, 19 Jul 2018 09:04:52 -0700 (PDT)
Received-SPF: pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
	designates 79.124.17.100 as permitted sender)
	client-ip=79.124.17.100;
Authentication-Results: mx.google.com;
	dkim=neutral (body hash did not verify) header.i=@gmail.com
	header.s=20161025 header.b=P4uFy8eC;
	spf=pass (google.com: domain of ffmpeg-devel-bounces@ffmpeg.org
	designates 79.124.17.100 as permitted sender)
	smtp.mailfrom=ffmpeg-devel-bounces@ffmpeg.org;
	dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 04DB2689E0B;
	Thu, 19 Jul 2018 19:04:39 +0300 (EEST)
X-Original-To: ffmpeg-devel@ffmpeg.org
Delivered-To: ffmpeg-devel@ffmpeg.org
Received: from mail-yb0-f193.google.com (mail-yb0-f193.google.com
	[209.85.213.193])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 0B62C689C8D
	for <ffmpeg-devel@ffmpeg.org>; Thu, 19 Jul 2018 19:04:32 +0300 (EEST)
Received: by mail-yb0-f193.google.com with SMTP id x10-v6so3459091ybl.10
	for <ffmpeg-devel@ffmpeg.org>; Thu, 19 Jul 2018 09:04:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
	h=from:to:cc:subject:date:message-id;
	bh=Krzm8g9wJ6D1jHIekBBdFBmcuyTi6DBcN09GDiV6JDc=;
	b=P4uFy8eCNSAnVsU71P0DyGeyQ9YjQu3BYXft4YNftZcFMuUFFr9pw9yOSxL/Nhm7R0
	+HQeGiCYeT6JzG+HhdXoGibRjATkDAiCTGO09+7s6A2IQI9XkPIeER8x9+4Kk98/XLoG
	bzqIA2tw3mZ8yXXAKpvy81X24slfnYSyWcAzSDyIOHpzjEmgW1A0wz20g/YqIPKm3qht
	p+x9xcpJwP/pDYnfIN35fSDeda/wbT91pliMFmMEcSms+muGZ2WL4kskpvPjf12AXVQF
	a/LWE4GvXtUwAZ7aaRtfRucvv2gIwCvsliXpjaa7rS9h/DCNgyKfoBrE7mDxdALdxA77
	hOQw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id;
	bh=Krzm8g9wJ6D1jHIekBBdFBmcuyTi6DBcN09GDiV6JDc=;
	b=O3rK0HtHAG4D5preB/8i9Gl0XWb2D0JhgT0OXD6nH5VBsWkXpcsbjlcLOEKXhkIhGd
	3/b4md+7fKO0M9CBqu/v/dDNOG4jO1qSu6XYkrpcf2xrEYkLzOEIbOpGwwc+65rgZXuA
	9mo2Cv0sYI7LARB9qrfKm2G2pF/RxTQma8ZjpNp331WXUUAtKKR8rYAlqGmiELGHodSp
	1G6uKujdfGAAXwNxyNKwm7XRjWCwX84b4z5WMu3NliNxCjIEKwY5NS7iKAH5wOdRTdAC
	K09/gE0EU44as0wleN4AGL2BhMxyYF3TkKbcst5f2fiz3VdyzJRZZJBV0u8iVCmoDSIe
	gYOA==
X-Gm-Message-State: AOUpUlGgtJjulc0IRNTLwfiDSBljY1uE8B/z/bBOciw16k919RjlXP22
	8qkllZenD+Z8m0irvQDlq0vL6JOrT4s=
X-Received: by 2002:a25:1489:: with SMTP id
	131-v6mr5657661ybu.183.1532015893016;
	Thu, 19 Jul 2018 08:58:13 -0700 (PDT)
Received: from localhost.localdomain ([2601:183:101:95d5:9c30:6cc8:a77:3893])
	by smtp.gmail.com with ESMTPSA id
	r5-v6sm3289960ywd.11.2018.07.19.08.58.11
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Thu, 19 Jul 2018 08:58:12 -0700 (PDT)
From: Peter Bennett <pb.mythtv@gmail.com>
X-Google-Original-From: Peter Bennett <pbennett@mythtv.org>
To: ffmpeg-devel@ffmpeg.org
Date: Thu, 19 Jul 2018 11:57:25 -0400
Message-Id: <20180719155725.21165-1-pbennett@mythtv.org>
X-Mailer: git-send-email 2.17.1
Subject: [FFmpeg-devel] [PATCH] avcodec/mediacodec_sw_buffer: Fix
	segmentation fault with decoding on android oreo
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <http://ffmpeg.org/mailman/options/ffmpeg-devel>,
	<mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <http://ffmpeg.org/pipermail/ffmpeg-devel/>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <http://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
	<mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches
	<ffmpeg-devel@ffmpeg.org>
Cc: Peter Bennett <pbennett@mythtv.org>
MIME-Version: 1.0
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>

avcodec_receive_frame consistently causes a seg fault when decoding 1080i mpeg2
on android version oreo. When copying the frame, the second plane in the buffer
follows on immediately after 1080 lines of the first plane, but the code assumes
it is after 1088 lines of the first plane, based on slice_height. It crashes on
copying data for the second plane when it hits the actual end of the data and
starts accessing addresses beyond that.

Instead of using slice_height here, change to use use height. slice_height is
used at other places in this module and I do not know if they also need to be
changed. I have confirmed that with this change, decoding works correctly
on android oreo as well as on the prior version, android nougat.
---
 libavcodec/mediacodec_sw_buffer.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libavcodec/mediacodec_sw_buffer.c b/libavcodec/mediacodec_sw_buffer.c
index 92428e85f0..3b80e1fb59 100644
--- a/libavcodec/mediacodec_sw_buffer.c
+++ b/libavcodec/mediacodec_sw_buffer.c
@@ -100,7 +100,7 @@ void ff_mediacodec_sw_buffer_copy_yuv420_planar(AVCodecContext *avctx,
             src += s->slice_height * s->stride;
 
             if (i == 2) {
-                src += ((s->slice_height + 1) / 2) * stride;
+                src += ((s->height + 1) / 2) * stride;
             }
 
             src += s->crop_top * stride;