[FFmpeg-devel] [PATCH 1/2] avcodec/av1: only set the private context pix_fmt field if get_pixel_format() succeeds

James Almer jamrial at gmail.com
Tue Mar 22 21:10:59 EET 2022


Otherwise get_pixel_format() will not be called when parsing a subsequent Sequence
Header in non hwaccel enabled scenarios, allowing frame parsing when it shouldn't.

This prevents the scenario seqhdr -> frame_hdr/redundant_frame_hdr -> seqhdr ->
redundant_frame_hdr from having the latter redundant frame header parsed as if it
was a frame header by the decoder because the former was discarded.
Since CBS did not discard it, the latter redundant frame header is output with a
zeroed AV1RawFrameHeader struct, which can have undesired results, like division
by zero with fields normally guaranteed to be anything else.

Signed-off-by: James Almer <jamrial at gmail.com>
---
 libavcodec/av1dec.c | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/libavcodec/av1dec.c b/libavcodec/av1dec.c
index 613efc5d11..727d829e5b 100644
--- a/libavcodec/av1dec.c
+++ b/libavcodec/av1dec.c
@@ -506,9 +506,8 @@ static int get_pixel_format(AVCodecContext *avctx)
 
     if (pix_fmt == AV_PIX_FMT_NONE)
         return -1;
-    s->pix_fmt = pix_fmt;
 
-    switch (s->pix_fmt) {
+    switch (pix_fmt) {
     case AV_PIX_FMT_YUV420P:
 #if CONFIG_AV1_DXVA2_HWACCEL
         *fmtp++ = AV_PIX_FMT_DXVA2_VLD;
@@ -551,7 +550,7 @@ static int get_pixel_format(AVCodecContext *avctx)
         break;
     }
 
-    *fmtp++ = s->pix_fmt;
+    *fmtp++ = pix_fmt;
     *fmtp = AV_PIX_FMT_NONE;
 
     ret = ff_thread_get_format(avctx, pix_fmts);
@@ -569,7 +568,7 @@ static int get_pixel_format(AVCodecContext *avctx)
         return AVERROR(ENOSYS);
     }
 
-    avctx->pix_fmt = ret;
+    avctx->pix_fmt = s->pix_fmt = ret;
 
     return 0;
 }
-- 
2.35.1



More information about the ffmpeg-devel mailing list