This is an automated email from the git hooks/post-receive script. Git pushed a commit to branch release/4.4 in repository ffmpeg.
commit c5baeda37e6f297a9a2ac134040f1db577e7c9bc Author: Michael Niedermayer <[email protected]> AuthorDate: Thu Apr 30 18:06:32 2026 +0200 Commit: Michael Niedermayer <[email protected]> CommitDate: Tue May 5 18:55:14 2026 +0200 avcodec/h264: recompute per-slice direct mode state for every slice Regression since: 7f05c5cea04112471d8147487aa3b44141922d09 Fixes: poc10 Fixes: null pointer dereference Reported-by: Dale Curtis <[email protected]> Signed-off-by: Michael Niedermayer <[email protected]> (cherry picked from commit 17723863922bd80e29cc957507cef7ae79eddccb) Signed-off-by: Michael Niedermayer <[email protected]> --- libavcodec/h264_direct.c | 34 +++++++++++++++++++--------------- libavcodec/h264_slice.c | 3 +-- 2 files changed, 20 insertions(+), 17 deletions(-) diff --git a/libavcodec/h264_direct.c b/libavcodec/h264_direct.c index 8f07981130..3dd83413c1 100644 --- a/libavcodec/h264_direct.c +++ b/libavcodec/h264_direct.c @@ -122,26 +122,30 @@ void ff_h264_direct_ref_list_init(const H264Context *const h, H264SliceContext * { H264Ref *const ref1 = &sl->ref_list[1][0]; H264Picture *const cur = h->cur_pic_ptr; - int list, j, field; + int list, field; int sidx = (h->picture_structure & 1) ^ 1; int ref1sidx = (ref1->reference & 1) ^ 1; - for (list = 0; list < sl->list_count; list++) { - cur->ref_count[sidx][list] = sl->ref_count[list]; - for (j = 0; j < sl->ref_count[list]; j++) - cur->ref_poc[sidx][list][j] = 4 * sl->ref_list[list][j].parent->frame_num + - (sl->ref_list[list][j].reference & 3); - } + /* Updates to cur_pic are not safe once ff_thread_finish_setup() has been + * called (other threads may already be reading these fields). */ + if (!h->setup_finished) { + for (list = 0; list < sl->list_count; list++) { + cur->ref_count[sidx][list] = sl->ref_count[list]; + for (int j = 0; j < sl->ref_count[list]; j++) + cur->ref_poc[sidx][list][j] = 4 * sl->ref_list[list][j].parent->frame_num + + (sl->ref_list[list][j].reference & 3); + } - if (h->picture_structure == PICT_FRAME) { - memcpy(cur->ref_count[1], cur->ref_count[0], sizeof(cur->ref_count[0])); - memcpy(cur->ref_poc[1], cur->ref_poc[0], sizeof(cur->ref_poc[0])); - } + if (h->picture_structure == PICT_FRAME) { + memcpy(cur->ref_count[1], cur->ref_count[0], sizeof(cur->ref_count[0])); + memcpy(cur->ref_poc[1], cur->ref_poc[0], sizeof(cur->ref_poc[0])); + } - if (h->current_slice == 0) { - cur->mbaff = FRAME_MBAFF(h); - } else { - av_assert0(cur->mbaff == FRAME_MBAFF(h)); + if (h->current_slice == 0) { + cur->mbaff = FRAME_MBAFF(h); + } else { + av_assert0(cur->mbaff == FRAME_MBAFF(h)); + } } sl->col_fieldoff = 0; diff --git a/libavcodec/h264_slice.c b/libavcodec/h264_slice.c index a098f13037..7e8ca89505 100644 --- a/libavcodec/h264_slice.c +++ b/libavcodec/h264_slice.c @@ -1990,8 +1990,7 @@ static int h264_slice_init(H264Context *h, H264SliceContext *sl, if (sl->slice_type_nos == AV_PICTURE_TYPE_B && !sl->direct_spatial_mv_pred) ff_h264_direct_dist_scale_factor(h, sl); - if (!h->setup_finished) - ff_h264_direct_ref_list_init(h, sl); + ff_h264_direct_ref_list_init(h, sl); if (h->avctx->skip_loop_filter >= AVDISCARD_ALL || (h->avctx->skip_loop_filter >= AVDISCARD_NONKEY && _______________________________________________ ffmpeg-cvslog mailing list -- [email protected] To unsubscribe send an email to [email protected]
