aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAnton Khirnov <anton@khirnov.net>2015-05-08 19:07:10 +0200
committerAnton Khirnov <anton@khirnov.net>2015-06-27 16:46:01 +0200
commit6d4d3fee63c46d921c4870feab79269af94e84e1 (patch)
tree689252383642773a63da81cc6fdc7f911f56770c
parent9a5e4fbec870c7d466b7a0aec92c70778efc96b5 (diff)
downloadffmpeg-6d4d3fee63c46d921c4870feab79269af94e84e1.tar.gz
h264: make sure the current picture is not made a long ref multiple times
Fixes possible invalid reads, once one of those refs is freed, but the others remain. CC: libav-stable@libav.org
-rw-r--r--libavcodec/h264_refs.c9
1 files changed, 9 insertions, 0 deletions
diff --git a/libavcodec/h264_refs.c b/libavcodec/h264_refs.c
index 2ddbdb7052..adc2213944 100644
--- a/libavcodec/h264_refs.c
+++ b/libavcodec/h264_refs.c
@@ -640,6 +640,15 @@ int ff_h264_execute_ref_pic_marking(H264Context *h, MMCO *mmco, int mmco_count)
if (h->short_ref[0] == h->cur_pic_ptr)
remove_short_at_index(h, 0);
+ /* make sure the current picture is not already assigned as a long ref */
+ if (h->cur_pic_ptr->long_ref) {
+ for (j = 0; j < FF_ARRAY_ELEMS(h->long_ref); j++) {
+ if (h->long_ref[j] == h->cur_pic_ptr)
+ remove_long(h, j, 0);
+ }
+ }
+
+
if (h->long_ref[mmco[i].long_arg] != h->cur_pic_ptr) {
remove_long(h, mmco[i].long_arg, 0);