From: "Ronald S. Bultje" <[email protected]> This will (in ER) write to the pic->mb_type[] array of the previous image, which may in a subsequent thread already have been re-used for a new image, thus causing two threads to write to the same pic->mb_type[] array, causing a race condition which can crash in rv34_decode_cbp(), called by rv34_decode_inter_mb_header() (which accesses mb_type[] twice, assuming values are maintained, which the race condition breaks).
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC: [email protected] --- libavcodec/rv34.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libavcodec/rv34.c b/libavcodec/rv34.c index da5d437..3002c36 100644 --- a/libavcodec/rv34.c +++ b/libavcodec/rv34.c @@ -1652,7 +1652,9 @@ int ff_rv34_decode_frame(AVCodecContext *avctx, /* first slice */ if (si.start == 0) { - if (s->mb_num_left > 0) { + if (!(HAVE_THREADS && + (s->avctx->active_thread_type & FF_THREAD_FRAME)) && + s->mb_num_left > 0) { av_log(avctx, AV_LOG_ERROR, "New frame but still %d MB left.", s->mb_num_left); ff_er_frame_end(s); -- 1.7.9.2 _______________________________________________ libav-devel mailing list [email protected] https://lists.libav.org/mailman/listinfo/libav-devel
