[FFmpeg-devel] [PATCH v2] avcodec/h264_slice: don't copy frame data during error concealment
James Almer
jamrial at gmail.com
Thu Mar 11 14:42:03 EET 2021
In addition to the fact that av_image_copy() cannot handle hardware pixel formats,
h->short_ref[0]->f may not be writable at this point.
Based on a patch by Hendrik Leppkes.
Signed-off-by: James Almer <jamrial at gmail.com>
---
This version fixes the fuzzed sample Michael talked about.
libavcodec/h264_slice.c | 15 ++++++++-------
1 file changed, 8 insertions(+), 7 deletions(-)
diff --git a/libavcodec/h264_slice.c b/libavcodec/h264_slice.c
index fa7a639053..14b945756b 100644
--- a/libavcodec/h264_slice.c
+++ b/libavcodec/h264_slice.c
@@ -1599,14 +1599,15 @@ static int h264_field_start(H264Context *h, const H264SliceContext *sl,
ff_thread_await_progress(&prev->tf, INT_MAX, 0);
if (prev->field_picture)
ff_thread_await_progress(&prev->tf, INT_MAX, 1);
- av_image_copy(h->short_ref[0]->f->data,
- h->short_ref[0]->f->linesize,
- (const uint8_t **)prev->f->data,
- prev->f->linesize,
- prev->f->format,
- prev->f->width,
- prev->f->height);
+ ff_thread_release_buffer(h->avctx, &h->short_ref[0]->tf);
+ h->short_ref[0]->tf.f = h->short_ref[0]->f;
+ ret = ff_thread_ref_frame(&h->short_ref[0]->tf, &prev->tf);
+ if (ret < 0)
+ return ret;
h->short_ref[0]->poc = prev->poc + 2U;
+ ff_thread_report_progress(&h->short_ref[0]->tf, INT_MAX, 0);
+ if (h->short_ref[0]->field_picture)
+ ff_thread_report_progress(&h->short_ref[0]->tf, INT_MAX, 1);
} else if (!h->frame_recovered && !h->avctx->hwaccel)
ff_color_frame(h->short_ref[0]->f, c);
h->short_ref[0]->frame_num = h->poc.prev_frame_num;
--
2.30.1
More information about the ffmpeg-devel
mailing list