mirror of https://git.ffmpeg.org/ffmpeg.git
avcodec/h264: Setup decoder to have matching reference to the EC code
Also move EC ref initialization to where the EC code is called. Fixes out of array read Fixes: asan_heap-uaf_143f420_142_20110805_112659_ch0.mkv Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
This commit is contained in:
parent
ecfd48dc06
commit
de6df46120
|
@ -197,8 +197,26 @@ int ff_h264_field_end(H264Context *h, int in_setup)
|
||||||
* causes problems for the first MB line, too.
|
* causes problems for the first MB line, too.
|
||||||
*/
|
*/
|
||||||
if (!FIELD_PICTURE(h) && h->current_slice && !h->sps.new) {
|
if (!FIELD_PICTURE(h) && h->current_slice && !h->sps.new) {
|
||||||
|
int use_last_pic = h->last_pic_for_ec.f.buf[0] && !h->ref_count[0];
|
||||||
|
|
||||||
ff_h264_set_erpic(&h->er.cur_pic, h->cur_pic_ptr);
|
ff_h264_set_erpic(&h->er.cur_pic, h->cur_pic_ptr);
|
||||||
|
|
||||||
|
if (use_last_pic) {
|
||||||
|
ff_h264_set_erpic(&h->er.last_pic, &h->last_pic_for_ec);
|
||||||
|
COPY_PICTURE(&h->ref_list[0][0], &h->last_pic_for_ec);
|
||||||
|
} else if (h->ref_count[0]) {
|
||||||
|
ff_h264_set_erpic(&h->er.last_pic, &h->ref_list[0][0]);
|
||||||
|
} else
|
||||||
|
ff_h264_set_erpic(&h->er.last_pic, NULL);
|
||||||
|
|
||||||
|
if (h->ref_count[1])
|
||||||
|
ff_h264_set_erpic(&h->er.next_pic, &h->ref_list[1][0]);
|
||||||
|
|
||||||
|
h->er.ref_count = h->ref_count[0];
|
||||||
|
|
||||||
ff_er_frame_end(&h->er);
|
ff_er_frame_end(&h->er);
|
||||||
|
if (use_last_pic)
|
||||||
|
memset(&h->ref_list[0][0], 0, sizeof(h->last_pic_for_ec));
|
||||||
}
|
}
|
||||||
#endif /* CONFIG_ERROR_RESILIENCE */
|
#endif /* CONFIG_ERROR_RESILIENCE */
|
||||||
|
|
||||||
|
|
|
@ -1986,15 +1986,6 @@ int ff_h264_decode_slice_header(H264Context *h, H264Context *h0)
|
||||||
(h->ref_list[j][i].reference & 3);
|
(h->ref_list[j][i].reference & 3);
|
||||||
}
|
}
|
||||||
|
|
||||||
if (h->ref_count[0]) {
|
|
||||||
ff_h264_set_erpic(&h->er.last_pic, &h->ref_list[0][0]);
|
|
||||||
} else if (h->last_pic_for_ec.f.buf[0]) {
|
|
||||||
ff_h264_set_erpic(&h->er.last_pic, &h->last_pic_for_ec);
|
|
||||||
}
|
|
||||||
|
|
||||||
if (h->ref_count[1]) ff_h264_set_erpic(&h->er.next_pic, &h->ref_list[1][0]);
|
|
||||||
|
|
||||||
h->er.ref_count = h->ref_count[0];
|
|
||||||
h0->au_pps_id = pps_id;
|
h0->au_pps_id = pps_id;
|
||||||
h->sps.new =
|
h->sps.new =
|
||||||
h0->sps_buffers[h->pps.sps_id]->new = 0;
|
h0->sps_buffers[h->pps.sps_id]->new = 0;
|
||||||
|
|
Loading…
Reference in New Issue