From: Chris Evans <[email protected]> Prevents a crash with certain mp4 files.
References: http://code.google.com/p/chromium/issues/detail?id=7302 http://codereview.chromium.org/6597005 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1198 --- libavcodec/pthread.c | 14 ++++++++------ 1 files changed, 8 insertions(+), 6 deletions(-) diff --git a/libavcodec/pthread.c b/libavcodec/pthread.c index e546c21..462b0ec 100644 --- a/libavcodec/pthread.c +++ b/libavcodec/pthread.c @@ -491,9 +491,10 @@ int ff_thread_decode_frame(AVCodecContext *avctx, AVPacket *avpkt) { FrameThreadContext *fctx = avctx->thread_opaque; + int thread_count = avctx->thread_count; int finished = fctx->next_finished; PerThreadContext *p; - int err; + int decoding_save, err; /* * Submit a packet to the next decoding thread. @@ -505,14 +506,17 @@ int ff_thread_decode_frame(AVCodecContext *avctx, if (err) return err; fctx->next_decoding++; - + decoding_save = fctx->next_decoding; + if (fctx->next_decoding >= thread_count) + fctx->next_decoding = 0; + /* * If we're still receiving the initial packets, don't return a frame. */ if (fctx->delaying && avpkt->size) { - if (fctx->next_decoding >= (avctx->thread_count-1)) fctx->delaying = 0; - + if (decoding_save >= (thread_count-1)) fctx->delaying = 0; + *got_picture_ptr=0; return 0; } @@ -551,8 +555,6 @@ int ff_thread_decode_frame(AVCodecContext *avctx, update_context_from_thread(avctx, p->avctx, 1); - if (fctx->next_decoding >= avctx->thread_count) fctx->next_decoding = 0; - fctx->next_finished = finished; return p->result; -- 1.7.4.1 _______________________________________________ libav-devel mailing list [email protected] https://lists.libav.org/mailman/listinfo/libav-devel
