diff options
author | Ronald S. Bultje <rsbultje@gmail.com> | 2012-03-27 00:20:02 +0200 |
---|---|---|
committer | Ronald S. Bultje <rsbultje@gmail.com> | 2012-03-26 16:39:01 -0700 |
commit | 5484170ac729d739b2747979408f47bd9aa31c7c (patch) | |
tree | 7e8dc5fe3de1c12ce660130926603e058040e58c /libavcodec | |
parent | 72ccfb3cb7a85d35cfe2c99ab53e981974e599cd (diff) | |
download | ffmpeg-5484170ac729d739b2747979408f47bd9aa31c7c.tar.gz |
rv34: set mb_num_left to 0 after finishing a frame
Prevents running error resilience on a previous frame which will write
to the pic->mb_type[] array of the previous image. The array might
already be re-used for a new image in a subsequent thread, thus cause
two threads to write to the same pic->mb_type[] array, causing a race
condition which can crash in rv34_decode_cbp(), called by
rv34_decode_inter_mb_header() (which accesses mb_type[] twice,
assuming values are maintained, which the race condition breaks).
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org
Diffstat (limited to 'libavcodec')
-rw-r--r-- | libavcodec/rv34.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/libavcodec/rv34.c b/libavcodec/rv34.c index da5d437b07..b366ead776 100644 --- a/libavcodec/rv34.c +++ b/libavcodec/rv34.c @@ -1576,6 +1576,7 @@ static int finish_frame(AVCodecContext *avctx, AVFrame *pict) ff_er_frame_end(s); ff_MPV_frame_end(s); + s->mb_num_left = 0; if (HAVE_THREADS && (s->avctx->active_thread_type & FF_THREAD_FRAME)) ff_thread_report_progress(&s->current_picture_ptr->f, INT_MAX, 0); @@ -1774,6 +1775,7 @@ int ff_rv34_decode_frame(AVCodecContext *avctx, * only complete frames */ ff_er_frame_end(s); ff_MPV_frame_end(s); + s->mb_num_left = 0; ff_thread_report_progress(&s->current_picture_ptr->f, INT_MAX, 0); return AVERROR_INVALIDDATA; } |