* [FFmpeg-devel] [PATCH] lavc/hevc: Fix usage of slice segment in invalid state (PR #20869)
@ 2025-11-08 18:44 frankplow via ffmpeg-devel
0 siblings, 0 replies; only message in thread
From: frankplow via ffmpeg-devel @ 2025-11-08 18:44 UTC (permalink / raw)
To: ffmpeg-devel; +Cc: frankplow
PR #20869 opened by frankplow
URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20869
Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20869.patch
Previously, we set s->slice_initialized to 0 to prevent other slice segments from depending on this slice segment only if hls_slice_header failed. If decode_slice fails for some other reason, however, before decode_slice_data is called to bring the context back into a consistent state, then slices could depend on this slice segment while it is in an invalid state. This can cause segmentation faults and other sorts of nastiness. Patch fixes this by always setting s->slice_initialized to 0 while the state is inconsistent.
Resolves #11652.
>From 59586a530a29b7f30c566fc8904c83e1053167bc Mon Sep 17 00:00:00 2001
From: Frank Plowman <post@frankplowman.com>
Date: Sat, 8 Nov 2025 18:35:51 +0000
Subject: [PATCH] lavc/hevc: Fix usage of slice segment in invalid state
Previously, we set s->slice_initialized to 0 to prevent other slice
segments from depending on this slice segment only if hls_slice_header
failed. If decode_slice fails for some other reason, however, before
decode_slice_data is called to bring the context back into a consistent
state, then slices could depend on this slice segment while it is in an
invalid state. This can cause segmentation faults and other sorts of
nastiness. Patch fixes this by always setting s->slice_initialized to 0
while the state is inconsistent.
Resolves #11652.
---
libavcodec/hevc/hevcdec.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/libavcodec/hevc/hevcdec.c b/libavcodec/hevc/hevcdec.c
index 8d432a9a1f..74b4a4c046 100644
--- a/libavcodec/hevc/hevcdec.c
+++ b/libavcodec/hevc/hevcdec.c
@@ -3544,10 +3544,12 @@ static int decode_slice(HEVCContext *s, unsigned nal_idx, GetBitContext *gb)
ret = hls_slice_header(&s->sh, s, gb);
if (ret < 0) {
- // hls_slice_header() does not cleanup on failure thus the state now is inconsistent so we cannot use it on dependent slices
- s->slice_initialized = 0;
return ret;
}
+ // Once hls_slice_header has been called, the context is inconsistent with the slice header
+ // until the context is reinitialized according to the contents of the new slice header
+ // at the start of decode_slice_data.
+ s->slice_initialized = 0;
if ((s->avctx->skip_frame >= AVDISCARD_BIDIR && s->sh.slice_type == HEVC_SLICE_B) ||
(s->avctx->skip_frame >= AVDISCARD_NONINTRA && s->sh.slice_type != HEVC_SLICE_I) ||
--
2.49.1
_______________________________________________
ffmpeg-devel mailing list -- ffmpeg-devel@ffmpeg.org
To unsubscribe send an email to ffmpeg-devel-leave@ffmpeg.org
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2025-11-08 18:44 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2025-11-08 18:44 [FFmpeg-devel] [PATCH] lavc/hevc: Fix usage of slice segment in invalid state (PR #20869) frankplow via ffmpeg-devel
Git Inbox Mirror of the ffmpeg-devel mailing list - see https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
This inbox may be cloned and mirrored by anyone:
git clone --mirror https://master.gitmailbox.com/ffmpegdev/0 ffmpegdev/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 ffmpegdev ffmpegdev/ https://master.gitmailbox.com/ffmpegdev \
ffmpegdev@gitmailbox.com
public-inbox-index ffmpegdev
Example config snippet for mirrors.
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git