From patchwork Thu Sep 17 00:08:15 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andreas Rheinhardt X-Patchwork-Id: 22449 Return-Path: X-Original-To: patchwork@ffaux-bg.ffmpeg.org Delivered-To: patchwork@ffaux-bg.ffmpeg.org Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by ffaux.localdomain (Postfix) with ESMTP id AB113449222 for ; Thu, 17 Sep 2020 03:08:31 +0300 (EEST) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 728E068BAA4; Thu, 17 Sep 2020 03:08:31 +0300 (EEST) X-Original-To: ffmpeg-devel@ffmpeg.org Delivered-To: ffmpeg-devel@ffmpeg.org Received: from mail-wm1-f68.google.com (mail-wm1-f68.google.com [209.85.128.68]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id C666868BA70 for ; Thu, 17 Sep 2020 03:08:24 +0300 (EEST) Received: by mail-wm1-f68.google.com with SMTP id s13so231838wmh.4 for ; Wed, 16 Sep 2020 17:08:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=1SWO4AKP1j23Lpe6XYWNlI5ILGy7Sj9JGglc+mT42tk=; b=cdtj6l6w7WCKBavWlTdbW5NCU5S/mBmDIGaJGn6/HN9FpU5FLZ+DfI12LMZb7oiCp4 aUpeBDTmNqBp1lmbOmB2niM91NpI1bo0YlSE7Ef1JJmXipwcwDnYENkMgn1gaWYuLq6r 1+XZqC1bgKfVI44/a2tisrX+jc1wAtd+fbo1vHGqKHMDMiNPdZlvftNhQwS/ef8apA7y EuJ8AN108atnTYFtVtk8yCiqIf/QaY/fWcwAyl9VdaTyovSvHetKFqXtDV2U8bamPbl9 Jvw3vatooSGe4gwVrCuK1uByyAw7n6LW0HgPbTL0vX/sP2C64lxZwnvkWi4rCU7OkRIN N2rA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=1SWO4AKP1j23Lpe6XYWNlI5ILGy7Sj9JGglc+mT42tk=; b=p0hNM0V1A0iTSBSByBVmSx7WRPBbDjYithwB+0GcZKRYjXzUyI4u7bnURZKS/wz6oj h4zfjJkRlgTGQKCcMG74nDoFPCfYFw1VEVaVvqKqxCHTcPJMtGBfmoh6deYJzBVXbVr5 /FMen6way+6J4cDJlueN4CUjdBSgcSA0J0Od2l7SsI/T8l4/fFFwyRPGhyHfKRH2SOdV C7tGmtcrgAqac1aPRD81wL3XgJi2/AlTsNha+Jo7rl2vxxDo0ZWiHFk1K1iCvG3SKir/ BsPp4wsFUSg0fziSqahm9/usGm6eMTMmorIy8tynOUvtUd49gFJTIljw+3dfJVcMkSc5 NNFw== X-Gm-Message-State: AOAM533VmFniQKvUipVghMR3qhk+FA9UFNWV9FjfyDsVobnuCRH87u5s fIlNAIhKUK48UdBECyKsfhlZkAQRdjY= X-Google-Smtp-Source: ABdhPJy9eJq77l8+i7bJe7NyknXS7HqqZwx8IFM2fbQx+5959NM0uOXDgKmxRia6WWzMgjR/SoyWig== X-Received: by 2002:a1c:e4c5:: with SMTP id b188mr6215415wmh.67.1600301303858; Wed, 16 Sep 2020 17:08:23 -0700 (PDT) Received: from sblaptop.fritz.box (ipbcc1fb0f.dynamic.kabel-deutschland.de. [188.193.251.15]) by smtp.gmail.com with ESMTPSA id m18sm7941327wmg.32.2020.09.16.17.08.22 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 16 Sep 2020 17:08:22 -0700 (PDT) From: Andreas Rheinhardt To: ffmpeg-devel@ffmpeg.org Date: Thu, 17 Sep 2020 02:08:15 +0200 Message-Id: <20200917000816.497453-1-andreas.rheinhardt@gmail.com> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 Subject: [FFmpeg-devel] [PATCH v2 1/2] avcodec/av1dec: Fix segfault upon allocation error X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Cc: Andreas Rheinhardt Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Up until now, the AV1 decoder always checks before calling its wrapper around ff_thread_release_buffer() whether the ThreadFrame was used at all, i.e. it checked whether the first data buffer of the AVFrame contained therein is NULL or not. Yet this presumes that the AVFrame has been successfully allocated, even though this can of course fail; and if it did, one would encounter a segfault. Fix this by removing the checks altogether: ff_thread_release_buffer() can handle both unallocated as well as empty frames (since commit f6774f905fb3cfdc319523ac640be30b14c1bc55). Signed-off-by: Andreas Rheinhardt --- Removing the checks is based upon a suggestion by James Almer. I have not removed the checks from the other callers of av1_frame_unref() as I don't know how probable it is for the frame to be empty at this point. I tested this as well as I can, but I have no hardware with AV1 hardware acceleration. libavcodec/av1dec.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/libavcodec/av1dec.c b/libavcodec/av1dec.c index bd8acdaafe..871db76b4d 100644 --- a/libavcodec/av1dec.c +++ b/libavcodec/av1dec.c @@ -388,12 +388,10 @@ static av_cold int av1_decode_free(AVCodecContext *avctx) AV1DecContext *s = avctx->priv_data; for (int i = 0; i < FF_ARRAY_ELEMS(s->ref); i++) { - if (s->ref[i].tf.f->buf[0]) - av1_frame_unref(avctx, &s->ref[i]); + av1_frame_unref(avctx, &s->ref[i]); av_frame_free(&s->ref[i].tf.f); } - if (s->cur_frame.tf.f->buf[0]) - av1_frame_unref(avctx, &s->cur_frame); + av1_frame_unref(avctx, &s->cur_frame); av_frame_free(&s->cur_frame.tf.f); av_buffer_unref(&s->seq_ref);