diff mbox series

[FFmpeg-devel,v2] avcodec/hevcdec: slice decoder, fix crash for thread_number > 16

Message ID 20201129025924.5887-1-nuomi2021@gmail.com
State Superseded
Headers show
Series [FFmpeg-devel,v2] avcodec/hevcdec: slice decoder, fix crash for thread_number > 16 | expand

Checks

Context Check Description
andriy/x86_make success Make finished
andriy/x86_make_fate success Make fate finished

Commit Message

Nuo Mi Nov. 29, 2020, 2:59 a.m. UTC 
following comandline will crash the ffmpeg
ffmpeg -threads 17 -thread_type slice -i WPP_A_ericsson_MAIN_2.bit out.yuv -y

the HEVCContext->sList size is MAX_NB_THREADS(16), any > 16 thread number will crash the application
---
 libavcodec/hevcdec.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)
diff mbox series

Patch

diff --git a/libavcodec/hevcdec.c b/libavcodec/hevcdec.c
index 699c13bbcc..457f75b551 100644
--- a/libavcodec/hevcdec.c
+++ b/libavcodec/hevcdec.c
@@ -3406,7 +3406,7 @@  static av_cold int hevc_decode_free(AVCodecContext *avctx)
     av_freep(&s->sh.offset);
     av_freep(&s->sh.size);
 
-    for (i = 1; i < s->threads_number; i++) {
+    for (i = 1; i < FFMIN(s->threads_number, MAX_NB_THREADS); i++) {
         HEVCLocalContext *lc = s->HEVClcList[i];
         if (lc) {
             av_freep(&s->HEVClcList[i]);
@@ -3608,6 +3608,10 @@  static av_cold int hevc_decode_init(AVCodecContext *avctx)
             s->threads_type = FF_THREAD_FRAME;
         else
             s->threads_type = FF_THREAD_SLICE;
+    if (s->threads_type == FF_THREAD_SLICE && s->threads_number > MAX_NB_THREADS) {
+        av_log(s->avctx, AV_LOG_WARNING, "too many threads (%d), reducing to %d.\n", s->threads_number, MAX_NB_THREADS);
+        s->threads_number = MAX_NB_THREADS;
+    }
 
     return 0;
 }