diff mbox series

[FFmpeg-devel,v2] avcodec/h264_slice: don't copy frame data during error concealment

Message ID 20210311124203.310-1-jamrial@gmail.com
State Accepted
Commit 99042c2bf6cc79006036502a6abbec5e51f73673
Headers show
Series [FFmpeg-devel,v2] avcodec/h264_slice: don't copy frame data during error concealment | expand

Checks

Context Check Description
andriy/x86_make success Make finished
andriy/x86_make_fate success Make fate finished
andriy/PPC64_make success Make finished
andriy/PPC64_make_fate success Make fate finished

Commit Message

James Almer March 11, 2021, 12:42 p.m. UTC 
In addition to the fact that av_image_copy() cannot handle hardware pixel formats,
h->short_ref[0]->f may not be writable at this point.

Based on a patch by Hendrik Leppkes.

Signed-off-by: James Almer <jamrial@gmail.com>
---
This version fixes the fuzzed sample Michael talked about.

 libavcodec/h264_slice.c | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

Comments

Michael Niedermayer March 11, 2021, 7:54 p.m. UTC | #1 
On Thu, Mar 11, 2021 at 09:42:03AM -0300, James Almer wrote:
> In addition to the fact that av_image_copy() cannot handle hardware pixel formats,
> h->short_ref[0]->f may not be writable at this point.
> 
> Based on a patch by Hendrik Leppkes.
> 
> Signed-off-by: James Almer <jamrial@gmail.com>
> ---
> This version fixes the fuzzed sample Michael talked about.

as said privatly already, this works fine with everything i threw at it

thx

[...]
James Almer March 11, 2021, 8:58 p.m. UTC | #2 
On 3/11/2021 4:54 PM, Michael Niedermayer wrote:
> On Thu, Mar 11, 2021 at 09:42:03AM -0300, James Almer wrote:
>> In addition to the fact that av_image_copy() cannot handle hardware pixel formats,
>> h->short_ref[0]->f may not be writable at this point.
>>
>> Based on a patch by Hendrik Leppkes.
>>
>> Signed-off-by: James Almer <jamrial@gmail.com>
>> ---
>> This version fixes the fuzzed sample Michael talked about.
> 
> as said privatly already, this works fine with everything i threw at it
> 
> thx

Pushed, thanks.
diff mbox series

Patch

diff --git a/libavcodec/h264_slice.c b/libavcodec/h264_slice.c
index fa7a639053..14b945756b 100644
--- a/libavcodec/h264_slice.c
+++ b/libavcodec/h264_slice.c
@@ -1599,14 +1599,15 @@  static int h264_field_start(H264Context *h, const H264SliceContext *sl,
                 ff_thread_await_progress(&prev->tf, INT_MAX, 0);
                 if (prev->field_picture)
                     ff_thread_await_progress(&prev->tf, INT_MAX, 1);
-                av_image_copy(h->short_ref[0]->f->data,
-                              h->short_ref[0]->f->linesize,
-                              (const uint8_t **)prev->f->data,
-                              prev->f->linesize,
-                              prev->f->format,
-                              prev->f->width,
-                              prev->f->height);
+                ff_thread_release_buffer(h->avctx, &h->short_ref[0]->tf);
+                h->short_ref[0]->tf.f = h->short_ref[0]->f;
+                ret = ff_thread_ref_frame(&h->short_ref[0]->tf, &prev->tf);
+                if (ret < 0)
+                    return ret;
                 h->short_ref[0]->poc = prev->poc + 2U;
+                ff_thread_report_progress(&h->short_ref[0]->tf, INT_MAX, 0);
+                if (h->short_ref[0]->field_picture)
+                    ff_thread_report_progress(&h->short_ref[0]->tf, INT_MAX, 1);
             } else if (!h->frame_recovered && !h->avctx->hwaccel)
                 ff_color_frame(h->short_ref[0]->f, c);
             h->short_ref[0]->frame_num = h->poc.prev_frame_num;