I initially discovered a signed integer overflow on this line. Since
this value is updated in multiple threads, I use an atomic update and
as it happens atomic addition is defined to wrap around. However,
there's still a potential bug in that the error_count may wrap around
and equal zero again causing problems down the line.

---
 libavcodec/mpeg12dec.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/libavcodec/mpeg12dec.c b/libavcodec/mpeg12dec.c
index d5bc5f21b2..b7c3b5106e 100644
--- a/libavcodec/mpeg12dec.c
+++ b/libavcodec/mpeg12dec.c
@@ -28,6 +28,7 @@
 #define UNCHECKED_BITSTREAM_READER 1
 #include <inttypes.h>

+#include "libavutil/atomic.h"
 #include "libavutil/attributes.h"
 #include "libavutil/imgutils.h"
 #include "libavutil/internal.h"
@@ -2476,7 +2477,7 @@ static int decode_chunks(AVCodecContext *avctx,
AVFrame *picture,
                                    &s2->thread_context[0], NULL,
                                    s->slice_count, sizeof(void *));
                     for (i = 0; i < s->slice_count; i++)
-                        s2->er.error_count +=
s2->thread_context[i]->er.error_count;
+
avpriv_atomic_int_add_and_fetch(&s2->er.error_count,
s2->thread_context[i]->er.error_count);
                 }

                 ret = slice_end(avctx, picture);
-- 
2.15.0.448.gf294e3d99a-goog

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
http://ffmpeg.org/mailman/listinfo/ffmpeg-devel

Reply via email to