RepoMirrors
/
mpv
mirror of https://github.com/mpv-player/mpv
1
0
Fork 0
Code Issues Releases Wiki Activity

mp_image: fix UB with certain callers like vf_vdpaupp 

vf_vdpaupp crashed on certain files (with --hwdec=vdpau --deinterlace).
This happened for example with mpeg2 files, which for some reason
typically contain some AVFrame side data. It turns out the last change
in 55c88fdb8f was not quite clean, and forgot the special cases in
mp_image_new_dummy_ref(). This function is supposed to copy all metadata
from the argument passed, except buffer refs. But there were new buffer
refs, that were not cleared properly. Also, the ff_side_data pointer
must be cleared, or the new mp_image would try to free it on
destruction.

The bottom line is that mp_image_new_dummy_ref() is a pretty bad idea,
and I suppose all callers with non-NULL arguments should be changed to
create a blank mp_image, and copy frame properties as needed (this
includes callers of mp_image_new_custom_ref()).

Fixes #5630.
This commit is contained in:
wm4 2018-03-13 10:33:37 +01:00 committed by Kevin Mitchell
parent 38e5b141c6
commit e1b4e5e727
1 changed files with 4 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
video/mp_image.c
View File

@ -369,6 +369,10 @@ struct mp_image *mp_image_new_dummy_ref(struct mp_image *img)
for (int p = 0; p < MP_MAX_PLANES; p++)
new->bufs[p] = NULL;
new->hwctx = NULL;
new->icc_profile = NULL;
new->a53_cc = NULL;
new->num_ff_side_data = 0;
new->ff_side_data = NULL;
return new;
}