rv34: set mb_num_left to 0 after finishing a frame

Prevents running error resilience on a previous frame which will write
to the pic->mb_type[] array of the previous image. The array might
already be re-used for a new image in a subsequent thread, thus cause
two threads to write to the same pic->mb_type[] array, causing a race
condition which can crash in rv34_decode_cbp(), called by
rv34_decode_inter_mb_header() (which accesses mb_type[] twice,
assuming values are maintained, which the race condition breaks).

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
This commit is contained in:
Ronald S. Bultje 2012-03-27 00:20:02 +02:00
parent 72ccfb3cb7
commit 5484170ac7
1 changed files with 2 additions and 0 deletions

View File

@ -1576,6 +1576,7 @@ static int finish_frame(AVCodecContext *avctx, AVFrame *pict)
ff_er_frame_end(s);
ff_MPV_frame_end(s);
s->mb_num_left = 0;
if (HAVE_THREADS && (s->avctx->active_thread_type & FF_THREAD_FRAME))
ff_thread_report_progress(&s->current_picture_ptr->f, INT_MAX, 0);
@ -1774,6 +1775,7 @@ int ff_rv34_decode_frame(AVCodecContext *avctx,
* only complete frames */
ff_er_frame_end(s);
ff_MPV_frame_end(s);
s->mb_num_left = 0;
ff_thread_report_progress(&s->current_picture_ptr->f, INT_MAX, 0);
return AVERROR_INVALIDDATA;
}