mirror of
https://github.com/FFmpeg/FFmpeg.git
synced 2025-01-13 21:28:01 +02:00
rv34: set mb_num_left to 0 after finishing a frame
Prevents running error resilience on a previous frame which will write to the pic->mb_type[] array of the previous image. The array might already be re-used for a new image in a subsequent thread, thus cause two threads to write to the same pic->mb_type[] array, causing a race condition which can crash in rv34_decode_cbp(), called by rv34_decode_inter_mb_header() (which accesses mb_type[] twice, assuming values are maintained, which the race condition breaks). Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: libav-stable@libav.org
This commit is contained in:
parent
72ccfb3cb7
commit
5484170ac7
@ -1576,6 +1576,7 @@ static int finish_frame(AVCodecContext *avctx, AVFrame *pict)
|
||||
|
||||
ff_er_frame_end(s);
|
||||
ff_MPV_frame_end(s);
|
||||
s->mb_num_left = 0;
|
||||
|
||||
if (HAVE_THREADS && (s->avctx->active_thread_type & FF_THREAD_FRAME))
|
||||
ff_thread_report_progress(&s->current_picture_ptr->f, INT_MAX, 0);
|
||||
@ -1774,6 +1775,7 @@ int ff_rv34_decode_frame(AVCodecContext *avctx,
|
||||
* only complete frames */
|
||||
ff_er_frame_end(s);
|
||||
ff_MPV_frame_end(s);
|
||||
s->mb_num_left = 0;
|
||||
ff_thread_report_progress(&s->current_picture_ptr->f, INT_MAX, 0);
|
||||
return AVERROR_INVALIDDATA;
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user