[FFmpeg-cvslog] Revert "mpegvideo: remove abort() in ff_find_unused_picture()"

Michael Niedermayer git at videolan.org
Thu Dec 15 00:19:53 CET 2011 

ffmpeg | branch: master | Michael Niedermayer <michaelni at gmx.at> | Thu Dec 15 00:10:13 2011 +0100| [dcca7d66bd6387c64cabe8906eee07f1d815e74f] | committer: Michael Niedermayer

Revert "mpegvideo: remove abort() in ff_find_unused_picture()"

This reverts commit 4f820131fa9fbb0a64d7cc469fa471905fc91944.

It is better to abort() than to have remotly exploitable arbitrary code
execution bugs. Even more so that this abort has never been triggered
by any input people threw at it.
If after more extensive testing its removial is found safe we can remove
the abort() later.

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=dcca7d66bd6387c64cabe8906eee07f1d815e74f
---

 libavcodec/mpegvideo.c |   16 +++++++++++++++-
 1 files changed, 15 insertions(+), 1 deletions(-)

diff --git a/libavcodec/mpegvideo.c b/libavcodec/mpegvideo.c
index 8924046..bb57bb1 100644
--- a/libavcodec/mpegvideo.c
+++ b/libavcodec/mpegvideo.c
@@ -1095,7 +1095,21 @@ int ff_find_unused_picture(MpegEncContext *s, int shared)
         }
     }
 
-    return AVERROR_INVALIDDATA;
+    av_log(s->avctx, AV_LOG_FATAL,
+           "Internal error, picture buffer overflow\n");
+    /* We could return -1, but the codec would crash trying to draw into a
+     * non-existing frame anyway. This is safer than waiting for a random crash.
+     * Also the return of this is never useful, an encoder must only allocate
+     * as much as allowed in the specification. This has no relationship to how
+     * much libavcodec could allocate (and MAX_PICTURE_COUNT is always large
+     * enough for such valid streams).
+     * Plus, a decoder has to check stream validity and remove frames if too
+     * many reference frames are around. Waiting for "OOM" is not correct at
+     * all. Similarly, missing reference frames have to be replaced by
+     * interpolated/MC frames, anything else is a bug in the codec ...
+     */
+    abort();
+    return -1;
 }
 
 static void update_noise_reduction(MpegEncContext *s){

More information about the ffmpeg-cvslog mailing list