From 971866f88bba20d7e2a993b1125bde6a8a5228d9 Mon Sep 17 00:00:00 2001 From: Xiaohan Wang Date: Sat, 3 Feb 2018 01:43:35 -0800 Subject: [PATCH] ffmpeg: Abort early on decode_slice error When decode_slice() fails, it is possible that ff_h264_decode_mb_cavlc() failed due to wrong sl->qscale values, e.g. dquant out of range. In this case, we should abort early instead of continue. Otherwise, we could be using the wrong sl->qscale and cause access violations. BUG=806122 --- libavcodec/h264_slice.c | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/libavcodec/h264_slice.c b/libavcodec/h264_slice.c index e6b7998834..a638414688 100644 --- a/libavcodec/h264_slice.c +++ b/libavcodec/h264_slice.c @@ -2734,6 +2734,7 @@ int ff_h264_execute_decode_slices(H264Context *h) H264SliceContext *sl; int context_count = h->nb_slice_ctx_queued; int ret = 0; + int *ret_array = NULL; int i, j; h->slice_ctx[0].next_slice_idx = INT_MAX; @@ -2776,8 +2777,21 @@ int ff_h264_execute_decode_slices(H264Context *h) sl->next_slice_idx = next_slice_idx; } + ret_array = av_malloc_array(context_count, sizeof(int)); + if (!ret_array) { + ret = AVERROR(ENOMEM); + goto finish; + } + avctx->execute(avctx, decode_slice, h->slice_ctx, - NULL, context_count, sizeof(h->slice_ctx[0])); + ret_array, context_count, sizeof(h->slice_ctx[0])); + + for (i = 0; i < context_count; i++) { + if (ret_array[i] < 0) { + ret = ret_array[i]; + goto finish; + } + } /* pull back stuff from slices to master context */ sl = &h->slice_ctx[context_count - 1]; @@ -2808,5 +2822,6 @@ int ff_h264_execute_decode_slices(H264Context *h) finish: h->nb_slice_ctx_queued = 0; + av_free(ret_array); return ret; } -- 2.16.0.rc1.238.g530d649a79-goog