From 0720e15c0330f0f101c02d5c2c6548e964079f6d Mon Sep 17 00:00:00 2001 From: Mark Thompson Date: Mon, 27 Jul 2020 17:32:22 +0100 Subject: [PATCH] cbs_h2645: Ensure that non-refcounted parameter sets are fully copied Only copying the main structure is not necessarily sufficient - there could be references to substructures. --- libavcodec/cbs_h2645.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/libavcodec/cbs_h2645.c b/libavcodec/cbs_h2645.c index 5725539e60..e19fa5249d 100644 --- a/libavcodec/cbs_h2645.c +++ b/libavcodec/cbs_h2645.c @@ -720,18 +720,20 @@ static int cbs_h26 ## h26n ## _replace_ ## ps_var(CodedBitstreamContext *ctx, \ CodedBitstreamH26 ## h26n ## Context *priv = ctx->priv_data; \ H26 ## h26n ## Raw ## ps_name *ps_var = unit->content; \ unsigned int id = ps_var->id_element; \ + int err; \ if (id >= FF_ARRAY_ELEMS(priv->ps_var)) { \ av_log(ctx->log_ctx, AV_LOG_ERROR, "Invalid " #ps_name \ " id : %d.\n", id); \ return AVERROR_INVALIDDATA; \ } \ + err = ff_cbs_make_unit_refcounted(ctx, unit); \ + if (err < 0) \ + return err; \ if (priv->ps_var[id] == priv->active_ ## ps_var) \ priv->active_ ## ps_var = NULL ; \ av_buffer_unref(&priv->ps_var ## _ref[id]); \ - if (unit->content_ref) \ - priv->ps_var ## _ref[id] = av_buffer_ref(unit->content_ref); \ - else \ - priv->ps_var ## _ref[id] = av_buffer_alloc(sizeof(*ps_var)); \ + av_assert0(unit->content_ref); \ + priv->ps_var ## _ref[id] = av_buffer_ref(unit->content_ref); \ if (!priv->ps_var ## _ref[id]) \ return AVERROR(ENOMEM); \ priv->ps_var[id] = (H26 ## h26n ## Raw ## ps_name *)priv->ps_var ## _ref[id]->data; \