From f76b633a94e19dc8aca0b80143272ce9b497f94c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Reimar=20D=C3=B6ffinger?= Date: Thu, 19 Sep 2013 01:08:30 +0200 Subject: [PATCH] mpeg4dec: Ensure data is not clobbered too early. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Avoid overwriting the bitstream buffer data before we have ended processing the frame. This is necessary to fix hwaccels which might try to use the buffer during the end_frame call. I am not sure but it is possible this could even trigger a use-after-free if the av_fast_malloc allocated a new buffer. This would require that decode_slice did not wind the bitstream forward all the way to the end, which does not currently happen in normal streams. Signed-off-by: Reimar Döffinger --- libavcodec/h263dec.c | 23 ++++++++++++----------- 1 file changed, 12 insertions(+), 11 deletions(-) diff --git a/libavcodec/h263dec.c b/libavcodec/h263dec.c index 626be97357..52ab7797f3 100644 --- a/libavcodec/h263dec.c +++ b/libavcodec/h263dec.c @@ -672,7 +672,7 @@ retry: if (CONFIG_WMV2_DECODER && s->msmpeg4_version==5){ ret = ff_wmv2_decode_secondary_picture_header(s); if(ret<0) return ret; - if(ret==1) goto intrax8_decoded; + if(ret==1) goto frame_end; } /* decode each macroblock */ @@ -705,7 +705,18 @@ retry: av_assert1(s->bitstream_buffer_size==0); frame_end: + ff_er_frame_end(&s->er); + + if (avctx->hwaccel) { + if ((ret = avctx->hwaccel->end_frame(avctx)) < 0) + return ret; + } + + ff_MPV_frame_end(s); + /* divx 5.01+ bitstream reorder stuff */ + /* Since this clobbers the input buffer and hwaccel codecs still need the + * data during hwaccel->end_frame we should not do this any earlier */ if(s->codec_id==AV_CODEC_ID_MPEG4 && s->divx_packed){ int current_pos= s->gb.buffer == s->bitstream_buffer ? 0 : (get_bits_count(&s->gb)>>3); int startcode_found=0; @@ -732,16 +743,6 @@ frame_end: } } -intrax8_decoded: - ff_er_frame_end(&s->er); - - if (avctx->hwaccel) { - if ((ret = avctx->hwaccel->end_frame(avctx)) < 0) - return ret; - } - - ff_MPV_frame_end(s); - if (!s->divx_packed && avctx->hwaccel) ff_thread_finish_setup(avctx);