From: frankplow via ffmpeg-devel <ffmpeg-devel@ffmpeg.org>
To: ffmpeg-devel@ffmpeg.org
Cc: frankplow <code@ffmpeg.org>
Subject: [FFmpeg-devel] [PATCH] lavc/hevc: Fix usage of slice segment in invalid state (PR #20869)
Date: Sat, 08 Nov 2025 18:44:13 -0000
Message-ID: <176262745433.25.7932891806333830296@2cb04c0e5124> (raw)
PR #20869 opened by frankplow
URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20869
Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20869.patch
Previously, we set s->slice_initialized to 0 to prevent other slice segments from depending on this slice segment only if hls_slice_header failed. If decode_slice fails for some other reason, however, before decode_slice_data is called to bring the context back into a consistent state, then slices could depend on this slice segment while it is in an invalid state. This can cause segmentation faults and other sorts of nastiness. Patch fixes this by always setting s->slice_initialized to 0 while the state is inconsistent.
Resolves #11652.
>From 59586a530a29b7f30c566fc8904c83e1053167bc Mon Sep 17 00:00:00 2001
From: Frank Plowman <post@frankplowman.com>
Date: Sat, 8 Nov 2025 18:35:51 +0000
Subject: [PATCH] lavc/hevc: Fix usage of slice segment in invalid state
Previously, we set s->slice_initialized to 0 to prevent other slice
segments from depending on this slice segment only if hls_slice_header
failed. If decode_slice fails for some other reason, however, before
decode_slice_data is called to bring the context back into a consistent
state, then slices could depend on this slice segment while it is in an
invalid state. This can cause segmentation faults and other sorts of
nastiness. Patch fixes this by always setting s->slice_initialized to 0
while the state is inconsistent.
Resolves #11652.
---
libavcodec/hevc/hevcdec.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/libavcodec/hevc/hevcdec.c b/libavcodec/hevc/hevcdec.c
index 8d432a9a1f..74b4a4c046 100644
--- a/libavcodec/hevc/hevcdec.c
+++ b/libavcodec/hevc/hevcdec.c
@@ -3544,10 +3544,12 @@ static int decode_slice(HEVCContext *s, unsigned nal_idx, GetBitContext *gb)
ret = hls_slice_header(&s->sh, s, gb);
if (ret < 0) {
- // hls_slice_header() does not cleanup on failure thus the state now is inconsistent so we cannot use it on dependent slices
- s->slice_initialized = 0;
return ret;
}
+ // Once hls_slice_header has been called, the context is inconsistent with the slice header
+ // until the context is reinitialized according to the contents of the new slice header
+ // at the start of decode_slice_data.
+ s->slice_initialized = 0;
if ((s->avctx->skip_frame >= AVDISCARD_BIDIR && s->sh.slice_type == HEVC_SLICE_B) ||
(s->avctx->skip_frame >= AVDISCARD_NONINTRA && s->sh.slice_type != HEVC_SLICE_I) ||
--
2.49.1
_______________________________________________
ffmpeg-devel mailing list -- ffmpeg-devel@ffmpeg.org
To unsubscribe send an email to ffmpeg-devel-leave@ffmpeg.org
reply other threads:[~2025-11-08 18:44 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=176262745433.25.7932891806333830296@2cb04c0e5124 \
--to=ffmpeg-devel@ffmpeg.org \
--cc=code@ffmpeg.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Git Inbox Mirror of the ffmpeg-devel mailing list - see https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
This inbox may be cloned and mirrored by anyone:
git clone --mirror https://master.gitmailbox.com/ffmpegdev/0 ffmpegdev/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 ffmpegdev ffmpegdev/ https://master.gitmailbox.com/ffmpegdev \
ffmpegdev@gitmailbox.com
public-inbox-index ffmpegdev
Example config snippet for mirrors.
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git