In addition to the fact that av_image_copy() cannot handle hardware pixel
formats,
h->short_ref[0]->f may not be writable at this point.
Based on a patch by Hendrik Leppkes.
Signed-off-by: James Almer <jamr...@gmail.com>
---
This version fixes the fuzzed sample Michael talked about.
libavcodec/h264_slice.c | 15 ++++++++-------
1 file changed, 8 insertions(+), 7 deletions(-)
diff --git a/libavcodec/h264_slice.c b/libavcodec/h264_slice.c
index fa7a639053..14b945756b 100644
--- a/libavcodec/h264_slice.c
+++ b/libavcodec/h264_slice.c
@@ -1599,14 +1599,15 @@ static int h264_field_start(H264Context *h, const
H264SliceContext *sl,
ff_thread_await_progress(&prev->tf, INT_MAX, 0);
if (prev->field_picture)
ff_thread_await_progress(&prev->tf, INT_MAX, 1);
- av_image_copy(h->short_ref[0]->f->data,
- h->short_ref[0]->f->linesize,
- (const uint8_t **)prev->f->data,
- prev->f->linesize,
- prev->f->format,
- prev->f->width,
- prev->f->height);
+ ff_thread_release_buffer(h->avctx, &h->short_ref[0]->tf);
+ h->short_ref[0]->tf.f = h->short_ref[0]->f;
+ ret = ff_thread_ref_frame(&h->short_ref[0]->tf, &prev->tf);
+ if (ret < 0)
+ return ret;
h->short_ref[0]->poc = prev->poc + 2U;
+ ff_thread_report_progress(&h->short_ref[0]->tf, INT_MAX, 0);
+ if (h->short_ref[0]->field_picture)
+ ff_thread_report_progress(&h->short_ref[0]->tf, INT_MAX,
1);
} else if (!h->frame_recovered && !h->avctx->hwaccel)
ff_color_frame(h->short_ref[0]->f, c);
h->short_ref[0]->frame_num = h->poc.prev_frame_num;
--
2.30.1
_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
To unsubscribe, visit link above, or email
ffmpeg-devel-requ...@ffmpeg.org with subject "unsubscribe".
