[FFmpeg-devel] [PATCH v3] avcodec/hevcdec: dynamic allocate sList and HEVClcList

Sun Nov 29 17:30:10 EET 2020

following comandline will crash the ffmpeg
ffmpeg -threads 17 -thread_type slice -i WPP_A_ericsson_MAIN_2.bit out.yuv -y

the HEVCContext->sList size is MAX_NB_THREADS(16), any > 16 thread number will crash the application
---
 libavcodec/hevcdec.c | 26 +++++++++++++++-----------
 libavcodec/hevcdec.h |  5 ++---
 2 files changed, 17 insertions(+), 14 deletions(-)

diff --git a/libavcodec/hevcdec.c b/libavcodec/hevcdec.c
index 699c13bbcc..616372dfed 100644
--- a/libavcodec/hevcdec.c
+++ b/libavcodec/hevcdec.c
@@ -3416,6 +3416,8 @@ static av_cold int hevc_decode_free(AVCodecContext *avctx)
     if (s->HEVClc == s->HEVClcList[0])
         s->HEVClc = NULL;
     av_freep(&s->HEVClcList[0]);
+    av_freep(&s->HEVClcList);
+    av_freep(&s->sList);
 
     ff_h2645_packet_uninit(&s->pkt);
 
@@ -3432,7 +3434,9 @@ static av_cold int hevc_init_context(AVCodecContext *avctx)
     s->avctx = avctx;
 
     s->HEVClc = av_mallocz(sizeof(HEVCLocalContext));
-    if (!s->HEVClc)
+    s->HEVClcList = av_mallocz(sizeof(HEVCLocalContext*) * s->threads_number);
+    s->sList = av_mallocz(sizeof(HEVCContext*) * s->threads_number);
+    if (!s->HEVClc || !s->HEVClcList || !s->sList)
         goto fail;
     s->HEVClcList[0] = s->HEVClc;
     s->sList[0] = s;
@@ -3579,6 +3583,16 @@ static av_cold int hevc_decode_init(AVCodecContext *avctx)
     HEVCContext *s = avctx->priv_data;
     int ret;
 
+    if(avctx->active_thread_type & FF_THREAD_SLICE)
+        s->threads_number = avctx->thread_count;
+    else
+        s->threads_number = 1;
+
+    if((avctx->active_thread_type & FF_THREAD_FRAME) && avctx->thread_count > 1)
+        s->threads_type = FF_THREAD_FRAME;
+    else
+        s->threads_type = FF_THREAD_SLICE;
+
     ret = hevc_init_context(avctx);
     if (ret < 0)
         return ret;
@@ -3589,11 +3603,6 @@ static av_cold int hevc_decode_init(AVCodecContext *avctx)
 
     atomic_init(&s->wpp_err, 0);
 
-    if(avctx->active_thread_type & FF_THREAD_SLICE)
-        s->threads_number = avctx->thread_count;
-    else
-        s->threads_number = 1;
-
     if (!avctx->internal->is_copy) {
         if (avctx->extradata_size > 0 && avctx->extradata) {
             ret = hevc_decode_extradata(s, avctx->extradata, avctx->extradata_size, 1);
@@ -3604,11 +3613,6 @@ static av_cold int hevc_decode_init(AVCodecContext *avctx)
         }
     }
 
-    if((avctx->active_thread_type & FF_THREAD_FRAME) && avctx->thread_count > 1)
-            s->threads_type = FF_THREAD_FRAME;
-        else
-            s->threads_type = FF_THREAD_SLICE;
-
     return 0;
 }
 
diff --git a/libavcodec/hevcdec.h b/libavcodec/hevcdec.h
index 39c5c7f89f..c0a138e97a 100644
--- a/libavcodec/hevcdec.h
+++ b/libavcodec/hevcdec.h
@@ -42,7 +42,6 @@
 #include "thread.h"
 #include "videodsp.h"
 
-#define MAX_NB_THREADS 16
 #define SHIFT_CTB_WPP 2
 
 //TODO: check if this is really the maximum
@@ -468,9 +467,9 @@ typedef struct HEVCContext {
     const AVClass *c;  // needed by private avoptions
     AVCodecContext *avctx;
 
-    struct HEVCContext  *sList[MAX_NB_THREADS];
+    struct HEVCContext  **sList;
 
-    HEVCLocalContext    *HEVClcList[MAX_NB_THREADS];
+    HEVCLocalContext    **HEVClcList;
     HEVCLocalContext    *HEVClc;
 
     uint8_t             threads_type;
-- 
2.25.1

