Browse code
avcodec/h264_slice: ignore SAR changes in slices after the first
Fixes race condition and null pointer dereference
Fixes: signal_sigsegv_1472ac3_468_cov_2915641226_CABACI3_Sony_B.jsv
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
(cherry picked from commit 38d5241b7f36c1571a88517a0650caade16dd5f4)
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
Conflicts:
libavcodec/h264_slice.c
Michael Niedermayer authored on 2015/02/07 11:34:48Showing 1 changed files
| ... | ... |
@@ -3254,13 +3254,15 @@ static int decode_slice_header(H264Context *h, H264Context *h0) |
| 3254 | 3254 |
|| 16*h->sps.mb_height * (2 - h->sps.frame_mbs_only_flag) != h->avctx->coded_height |
| 3255 | 3255 |
|| h->avctx->bits_per_raw_sample != h->sps.bit_depth_luma |
| 3256 | 3256 |
|| h->cur_chroma_format_idc != h->sps.chroma_format_idc |
| 3257 |
- || av_cmp_q(h->sps.sar, h->avctx->sample_aspect_ratio) |
|
| 3258 | 3257 |
|| h->mb_width != h->sps.mb_width |
| 3259 | 3258 |
|| h->mb_height != h->sps.mb_height * (2 - h->sps.frame_mbs_only_flag) |
| 3260 | 3259 |
)); |
| 3261 | 3260 |
if (non_j_pixfmt(h0->avctx->pix_fmt) != non_j_pixfmt(get_pixel_format(h0, 0))) |
| 3262 | 3261 |
must_reinit = 1; |
| 3263 | 3262 |
|
| 3263 |
+ if (first_slice && av_cmp_q(h->sps.sar, h->avctx->sample_aspect_ratio)) |
|
| 3264 |
+ must_reinit = 1; |
|
| 3265 |
+ |
|
| 3264 | 3266 |
h->mb_width = h->sps.mb_width; |
| 3265 | 3267 |
h->mb_height = h->sps.mb_height * (2 - h->sps.frame_mbs_only_flag); |
| 3266 | 3268 |
h->mb_num = h->mb_width * h->mb_height; |