Browse code
avcodec/h264_slice: Do not change frame_num after the first slice
Fixes potential race condition
Fixes: signal_sigsegv_1472ac3_468_cov_2915641226_CABACI3_Sony_B.jsv
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit f906982c9411f3062e3ce68013309b37c213c4dd)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Conflicts:
libavcodec/h264_slice.c
Michael Niedermayer authored on 2015/02/07 10:06:20Showing 1 changed files
| ... | ... |
@@ -3148,6 +3148,7 @@ static int decode_slice_header(H264Context *h, H264Context *h0) |
| 3148 | 3148 |
int must_reinit; |
| 3149 | 3149 |
int needs_reinit = 0; |
| 3150 | 3150 |
int first_slice = h == h0 && !h0->current_slice; |
| 3151 |
+ int frame_num; |
|
| 3151 | 3152 |
PPS *pps; |
| 3152 | 3153 |
|
| 3153 | 3154 |
h->me.qpel_put = h->h264qpel.put_h264_qpel_pixels_tab; |
| ... | ... |
@@ -3333,7 +3334,15 @@ static int decode_slice_header(H264Context *h, H264Context *h0) |
| 3333 | 3333 |
init_dequant_tables(h); |
| 3334 | 3334 |
} |
| 3335 | 3335 |
|
| 3336 |
- h->frame_num = get_bits(&h->gb, h->sps.log2_max_frame_num); |
|
| 3336 |
+ frame_num = get_bits(&h->gb, h->sps.log2_max_frame_num); |
|
| 3337 |
+ if (!first_slice) {
|
|
| 3338 |
+ if (h0->frame_num != frame_num) {
|
|
| 3339 |
+ av_log(h->avctx, AV_LOG_ERROR, "Frame num change from %d to %d\n", |
|
| 3340 |
+ h0->frame_num, frame_num); |
|
| 3341 |
+ return AVERROR_INVALIDDATA; |
|
| 3342 |
+ } |
|
| 3343 |
+ } |
|
| 3344 |
+ h->frame_num = frame_num; |
|
| 3337 | 3345 |
|
| 3338 | 3346 |
h->mb_mbaff = 0; |
| 3339 | 3347 |
h->mb_aff_frame = 0; |