mpegvideo: Fix long standing race condition with frame threads

Since resolution change support this also was exploitable, which is how it was found. Fixes read after free and out of array reads. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
author: Michael Niedermayer <michaelni@gmx.at> 2013-01-15 04:58:22 +0100
committer: Michael Niedermayer <michaelni@gmx.at> 2013-01-15 05:34:37 +0100
commit: 8ac8f04993e5ff53a9c799d72c3085c77c228134 (patch)
tree: 98e77695dfbd3c9b2495d3ea7ffdc5ea5ca8fb4b /libavcodec/mpegvideo.h
parent: df4203ac6f00bb222e93438967a1e4b6209e7919 (diff)
download: ffmpeg-8ac8f04993e5ff53a9c799d72c3085c77c228134.tar.gz
1 files changed, 2 insertions, 2 deletions
diff --git a/libavcodec/mpegvideo.h b/libavcodec/mpegvideo.h
index c0152fb863..aea2c34b25 100644
--- a/libavcodec/mpegvideo.h
+++ b/libavcodec/mpegvideo.h
@@ -60,8 +60,7 @@ enum OutputFormat {
 #define MAX_MV 2048
 
 #define MAX_THREADS 32
-
-#define MAX_PICTURE_COUNT 34
+#define MAX_PICTURE_COUNT 36
 
 #define ME_MAP_SIZE 64
 #define ME_MAP_SHIFT 3
@@ -149,6 +148,7 @@ typedef struct Picture{
     int b_frame_score;          /* */
     struct MpegEncContext *owner2; ///< pointer to the MpegEncContext that allocated this picture
     int needs_realloc;          ///< Picture needs to be reallocated (eg due to a frame size change)
+    int period_since_free;      ///< "cycles" since this Picture has been freed
 } Picture;
 
 /**
author	Michael Niedermayer <michaelni@gmx.at>	2013-01-15 04:58:22 +0100
committer	Michael Niedermayer <michaelni@gmx.at>	2013-01-15 05:34:37 +0100
commit	8ac8f04993e5ff53a9c799d72c3085c77c228134 (patch)
tree	98e77695dfbd3c9b2495d3ea7ffdc5ea5ca8fb4b /libavcodec/mpegvideo.h
parent	df4203ac6f00bb222e93438967a1e4b6209e7919 (diff)
download	ffmpeg-8ac8f04993e5ff53a9c799d72c3085c77c228134.tar.gz