From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <ffmpeg-devel-bounces@ffmpeg.org>
Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100])
	by master.gitmailbox.com (Postfix) with ESMTP id 977494B22D
	for <ffmpegdev@gitmailbox.com>; Fri, 31 May 2024 13:36:53 +0000 (UTC)
Received: from [127.0.1.1] (localhost [127.0.0.1])
	by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id 4008968D41B;
	Fri, 31 May 2024 16:36:51 +0300 (EEST)
Received: from sender-op-o11.zoho.eu (sender-op-o11.zoho.eu [136.143.169.11])
 by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 799FB68C094
 for <ffmpeg-devel@ffmpeg.org>; Fri, 31 May 2024 16:36:44 +0300 (EEST)
ARC-Seal: i=1; a=rsa-sha256; t=1717162599; cv=none; d=zohomail.eu; s=zohoarc; 
 b=ckPxlnQ6QYn3tEKxPYJDyL+/axy7H93wumnibUXDKBo4c01D/c2tMxIs+o6dPlNdpVHJufDra2rptKaUDf3tmDKn5EovNGlgrBZeM8J3M75z8nLNe288kSz1C42DSRXNTp0NYKYte/spyaUJ+Il/2sReJq3oJoegKcm7Hv+pKdw=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.eu;
 s=zohoarc; t=1717162599;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:MIME-Version:Message-ID:Subject:Subject:To:To:Message-Id:Reply-To;
 bh=Brg6SKrlUhsfIDhIioMiG+JxoClndkLw+h+QEty1BdE=; 
 b=amzGK9jXu1ye55hSaK/zcYbXFvibKR9vvL7OCRkP2ltq00SfFzk2cvXWpqzxrIziDLUX3u5y0MF8Ro261Br2VuVCwVmZTpeG9aV/4BXg9YjQ+zoSvzMtPF3UuMDkdNZbd5LJS2Om3+0udkmXav/YFotCvbAMeCgbFQ9ieNTnEL8=
ARC-Authentication-Results: i=1; mx.zohomail.eu;
 dkim=pass  header.i=frankplowman.com;
 spf=pass  smtp.mailfrom=post@frankplowman.com;
 dmarc=pass header.from=<post@frankplowman.com>
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1717162599; 
 s=zmail; d=frankplowman.com; i=post@frankplowman.com;
 h=From:From:To:To:Cc:Cc:Subject:Subject:Date:Date:Message-ID:MIME-Version:Content-Transfer-Encoding:Message-Id:Reply-To;
 bh=Brg6SKrlUhsfIDhIioMiG+JxoClndkLw+h+QEty1BdE=;
 b=c0fZ8q7I8xJvP6OQIM2JC2EhNooC2aq7beqimrzEXtElJYYgo7eyOX7/SpTuRFVw
 mB1FskjNj8c8xBaME5vIbSEMe+xzHGxATRfxvIBOpbcl/cuS65xLYg+32+1RJPvIAi9
 NgH/8OFJ0CugwqrOyWT8rQ++QAT7YCNO81pQOikA=
Received: by mx.zoho.eu with SMTPS id 1717162598017923.1090321664519;
 Fri, 31 May 2024 15:36:38 +0200 (CEST)
From: Frank Plowman <post@frankplowman.com>
To: ffmpeg-devel@ffmpeg.org
Date: Fri, 31 May 2024 14:36:25 +0100
Message-ID: <20240531133625.98622-1-post@frankplowman.com>
X-Mailer: git-send-email 2.45.1
MIME-Version: 1.0
X-ZohoMailClient: External
Subject: [FFmpeg-devel] [PATCH] lavc/vvc: Don't free uninitialised pic arrays
X-BeenThere: ffmpeg-devel@ffmpeg.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: FFmpeg development discussions and patches <ffmpeg-devel.ffmpeg.org>
List-Unsubscribe: <https://ffmpeg.org/mailman/options/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=unsubscribe>
List-Archive: <https://ffmpeg.org/pipermail/ffmpeg-devel>
List-Post: <mailto:ffmpeg-devel@ffmpeg.org>
List-Help: <mailto:ffmpeg-devel-request@ffmpeg.org?subject=help>
List-Subscribe: <https://ffmpeg.org/mailman/listinfo/ffmpeg-devel>,
 <mailto:ffmpeg-devel-request@ffmpeg.org?subject=subscribe>
Reply-To: FFmpeg development discussions and patches <ffmpeg-devel@ffmpeg.org>
Cc: Frank Plowman <post@frankplowman.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: ffmpeg-devel-bounces@ffmpeg.org
Sender: "ffmpeg-devel" <ffmpeg-devel-bounces@ffmpeg.org>
Archived-At: <https://master.gitmailbox.com/ffmpegdev/20240531133625.98622-1-post@frankplowman.com/>
List-Archive: <https://master.gitmailbox.com/ffmpegdev/>
List-Post: <mailto:ffmpegdev@gitmailbox.com>

The picture arrays are not initialised at the same time as the frame
context itself, but rather when the relevant frame begins being decoded.
As such, situations can arise where the frame context is being freed but
the picture arrays have not yet been initialised.  This could lead to
various UB and ultimately crashes.  Patch prevents this by adding an
initialised flag associated with the picture arrays.

Signed-off-by: Frank Plowman <post@frankplowman.com>
---
 libavcodec/vvc/dec.c | 7 +++++++
 libavcodec/vvc/dec.h | 2 ++
 2 files changed, 9 insertions(+)

diff --git a/libavcodec/vvc/dec.c b/libavcodec/vvc/dec.c
index e53ad4e607..32e5bc0cd8 100644
--- a/libavcodec/vvc/dec.c
+++ b/libavcodec/vvc/dec.c
@@ -327,6 +327,9 @@ static void free_cus(VVCFrameContext *fc)
 
 static void pic_arrays_free(VVCFrameContext *fc)
 {
+    if (!fc->tab.initialised)
+        return;
+
     free_cus(fc);
     frame_context_for_each_tl(fc, tl_free);
     ff_refstruct_pool_uninit(&fc->rpl_tab_pool);
@@ -380,6 +383,8 @@ static int pic_arrays_init(VVCContext *s, VVCFrameContext *fc)
     fc->tab.sz.bs_width           = (fc->ps.pps->width >> 2) + 1;
     fc->tab.sz.bs_height          = (fc->ps.pps->height >> 2) + 1;
 
+    fc->tab.initialised = 1;
+
     return 0;
 }
 
@@ -627,6 +632,8 @@ static av_cold int frame_context_init(VVCFrameContext *fc, AVCodecContext *avctx
     if (!fc->tu_pool)
         return AVERROR(ENOMEM);
 
+    fc->tab.initialised = 0;
+
     return 0;
 }
 
diff --git a/libavcodec/vvc/dec.h b/libavcodec/vvc/dec.h
index 1e0b76f283..1721ba3a15 100644
--- a/libavcodec/vvc/dec.h
+++ b/libavcodec/vvc/dec.h
@@ -212,6 +212,8 @@ typedef struct VVCFrameContext {
             int bs_height;
             int ibc_buffer_width;       ///< IbcBufWidth
         } sz;
+
+        int initialised;
     } tab;
 } VVCFrameContext;
 
-- 
2.45.1

_______________________________________________
ffmpeg-devel mailing list
ffmpeg-devel@ffmpeg.org
https://ffmpeg.org/mailman/listinfo/ffmpeg-devel

To unsubscribe, visit link above, or email
ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".