diff mbox series

[FFmpeg-devel,09/14] avcodec/ffv1dec: Fix segfault with frame threading upon error

Message ID HE1PR0301MB215401AB4818C0AF7E8E6BBE8F449@HE1PR0301MB2154.eurprd03.prod.outlook.com
State New
Headers show
Series [FFmpeg-devel,01/14] avcodec/ffv1dec: Remove redundant writes, fix races | expand


Context Check Description
andriy/x86_make success Make finished
andriy/x86_make_fate success Make fate finished
andriy/PPC64_make success Make finished
andriy/PPC64_make_fate success Make fate finished

Commit Message

Andreas Rheinhardt April 24, 2021, 11:14 a.m. UTC
It is possible for the source state to be NULL, namely if an error
happened in the src thread and it never even reached the point of
decoding the slices; or if the allocation of src's states failed.

Signed-off-by: Andreas Rheinhardt <andreas.rheinhardt@outlook.com>
 libavcodec/ffv1dec.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)
diff mbox series


diff --git a/libavcodec/ffv1dec.c b/libavcodec/ffv1dec.c
index 791dc073bf..bddfd8e2fb 100644
--- a/libavcodec/ffv1dec.c
+++ b/libavcodec/ffv1dec.c
@@ -256,7 +256,10 @@  static int decode_slice(AVCodecContext *c, void *arg)
             memcpy(pdst, psrc, sizeof(*pdst));
             pdst->state = NULL;
             pdst->vlc_state = NULL;
+            if (fssrc->ac && !psrc->state || !fssrc->ac && !psrc->vlc_state) {
+                ret = AVERROR_INVALIDDATA;
+                goto fail;
+            }
             if (fssrc->ac) {
                 pdst->state = av_malloc_array(CONTEXT_SIZE,  psrc->context_count);
                 if (!pdst->state) {