From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from ffbox0-bg.mplayerhq.hu (ffbox0-bg.ffmpeg.org [79.124.17.100]) by master.gitmailbox.com (Postfix) with ESMTP id AAED94B243 for ; Fri, 31 May 2024 16:11:55 +0000 (UTC) Received: from [127.0.1.1] (localhost [127.0.0.1]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTP id A4D7168D58E; Fri, 31 May 2024 19:11:52 +0300 (EEST) Received: from EUR02-AM0-obe.outbound.protection.outlook.com (mail-am0eur02olkn2103.outbound.protection.outlook.com [40.92.49.103]) by ffbox0-bg.mplayerhq.hu (Postfix) with ESMTPS id 0F4F368D522 for ; Fri, 31 May 2024 19:11:46 +0300 (EEST) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=PROSBtromRCtUkUfpRcb/eIQrrAUsoDMu0Qb19Ae4OuovA4aWg1/OOmFNXEYi0Z5PmqtGOhrVVQsrGjrKg52q5gRvbbgq73uiDSGAcV7BRPhsRWjaJxKW+N9tah+IR6yggRPLdIjw8T690FuXIoEsCcJ3iwiW6xawxtVTMjWjymAaq3w4xmEyA0i+S/QndkxQcASYbApI/5zC0WaQhRDseeT96g641BsvdAsBqG+Q67sh2iR4UdD2w3AutqCvcL9qalKhhEBbAjRnRa/CzwZ2hPR8W1f78c3zux5maOU7EiUxCv9nsMURIdk+pLNHY2SM3RDQ9SkFOwyZ0jQN7dy7w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=aqXM+zm/kqobo5X3frXrtRMgaRV1frssBreqaTBuHBY=; b=mHRryNct2OWq3ToNinXd+X8l/JUmsbpoDnj8FkrWOhV4FXy/IPfHwX4reJrVnHHu04ahO0SP8Tn1OahUSWoqWUrms9h6xFjMy1BlrSil+hvtVydwycbLTJfXAlb5iAmlGlkK2KFMrQy8PMAO0M9Pecwdq4iBJ42DlGPv/vJWP0jS2vlGpnWzTV1gPWQKjomHZi6UaXblC3ETyJVz9svkC+wT2srxs6QhbSjOzsXRXiu1krwLB0vfaaHya/lN/DMu8WJ+jrVQBBcSfFngQbo3ByL/EDgVbxWrEjnjUKfb8NMGI7FX0qt6aFNl+wzBsxFGExO0mt9XRbPPTvHzlYNhWA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=outlook.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=aqXM+zm/kqobo5X3frXrtRMgaRV1frssBreqaTBuHBY=; b=YFp6RUbu3BC7oSZ3mNMNVKn65aVVpd0IWo4QEyxKsP2a02/vvR2dFNH5jl6uzOWBYHHPVP5Y/l1mZKWQ/1qx6I1cK1af/bDrJqxbERmM0nDv7GR1l4LvQRW0z1Iclaa8/twG7iH+u14x178MTe2du4I2hoBxELKbZulFNdYHMXBbjS3J+y6P2G3w/FW2UcmvgAwqqrcnkSMbq26V2TSWkFNdGf+rvPmJHshc5T/otbrWdDO0e4SgkfM4SCSFRjLfJtMDQCQKFO/lWQV1eO8bTehZMmR+rihWtGbaWInSOUsBnaHVN3+iqcpNK5xxlqGcz3sFDJpcutVbVXv7y8SrMw== Received: from AS8P250MB0744.EURP250.PROD.OUTLOOK.COM (2603:10a6:20b:541::14) by AS1P250MB0555.EURP250.PROD.OUTLOOK.COM (2603:10a6:20b:4a1::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7611.29; Fri, 31 May 2024 16:11:44 +0000 Received: from AS8P250MB0744.EURP250.PROD.OUTLOOK.COM ([fe80::384d:40d4:ecb7:1c9]) by AS8P250MB0744.EURP250.PROD.OUTLOOK.COM ([fe80::384d:40d4:ecb7:1c9%4]) with mapi id 15.20.7611.025; Fri, 31 May 2024 16:11:44 +0000 Message-ID: Date: Fri, 31 May 2024 18:11:41 +0200 User-Agent: Mozilla Thunderbird To: ffmpeg-devel@ffmpeg.org References: <20240531133625.98622-1-post@frankplowman.com> Content-Language: en-US From: Andreas Rheinhardt In-Reply-To: <20240531133625.98622-1-post@frankplowman.com> X-TMN: [lTQsdLSvPju45ZhbBn6oXeqYisDME6ezAEaVZNBRTKU=] X-ClientProxiedBy: ZR0P278CA0209.CHEP278.PROD.OUTLOOK.COM (2603:10a6:910:6a::26) To AS8P250MB0744.EURP250.PROD.OUTLOOK.COM (2603:10a6:20b:541::14) X-Microsoft-Original-Message-ID: MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: AS8P250MB0744:EE_|AS1P250MB0555:EE_ X-MS-Office365-Filtering-Correlation-Id: c5de8c52-d1b0-4538-0a2e-08dc818c5d3a X-MS-Exchange-SLBlob-MailProps: Cq7lScuPrnpPmFw7ydDCSZWIiJZFBo6L1nPiJVzc7BpvQKkkHz4B3vjJEfTxxWqBXxye5z+y7NXQiBQD+jlWadOPN1MzvzNOA6m5CH+YqlYLXjH52+A7RjFOv8Bc7q6J9zAJXjFmTJ7Tl+giUkJm1tXFYQqPtEVOt/VwcIv+8OoZCpUfwiVKaCjEvL0YvHaymS0G+SrDBdexUYVxf7P86Ot2V0HAcn1k+Ykdx0UICcuh8AKyYzZ8w+a9C09kNd0lfYM1IerUlZRfWOml6kM1j6bCSd9VuiQVUxs61ro4Pm/eAPm0LTIsm4RcyuQrpCBDcaTHHEmblsS//EN/MJFn2OA49cWagWmFnK2S3IKssy6nQ0OvV4CD4RZsU3tP4+jhARgUH9dHhC692Jj2k2QXfHzB1uFzK1hIplUVS27jeNMUcT6GZtsZZuaY+4jO+jZDQ0VtI0HFprvRNN7l5fqSUm/HEx6rr0HMsHALTBguM7eBO1x5Z63p7dLVz8W0QhjiIFqVY9P8mP8osutN2x/0UItMbR3IvOBS3X2iwO0bs2NNz2cuBjdXYuDq9SMEavyrUG9tnjOgtfivOBC6ZDCyTsFuyYFHBzdOlD+CvcLJVtjeq/DyJJzx15VO7k9/K2IyC67ux1Z5XtcOPIG9juplLsQnNSyYIgi3zU0DoWJwPgDwLRb3iNIPUk7v2dmT0WPoSlT4L87/SYaXu8bzyfGidcz39j0Lq1xix9pxRnx8t+UiZA0pGS8zvcIlS10i/gnUCD+Tbx/axE8= X-Microsoft-Antispam: BCL:0;ARA:14566002|461199019|440099019|3412199016; X-Microsoft-Antispam-Message-Info: EcwV0CTjKU2eE+rDu+SystFhh6neaB9k9xtsD8RZeMAobp9SBFejAfcHpSh6ycN1rvwFa7LQG5309SliyCRVnZwFsQ2Frh6M1VzNthnsTrYq1mjBCYhPok5jcK3Bxa0shCm3vxKtx0L6h3KdGhbayHe6S0qCk/b+H/XTAsd2fYyBQJEk7RHKOkACnVdPZlNmcOfINyH5zWEhuYUVh8caFnuR2w2Q6qR8+cgFigE3eOppq8cuhTrVHgtO0RjZQSsM+CB10p021JZLe6ohQyFSKqf2zjicgRk7S05FXomm8St95yxAAw3LXYj2o1sLKG58tNI6u5Qe+8jArh9NCAYlMeIzh2RraMe38B/4L8VF5min2TLKaeit9lpXptTrg5yuiaJKxzozDjbMxdrUmrz0pCRiZaP3qqgRS6xNTw1vXwXQMxq4L8gbnIM/3GasGZGbI/1OGA/o7eL9uhZno5BNzWl6uMJh6Ogxqq3ilnfpWRtCAfINxPS87h04+7GK125/E5x4h/NnDCoeEOQbr/K17UnoJ8Nd08NtbsYc+TUEMxwL/v2AK7NNYj7Inxs6P7tr X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?B?WFQ0aGNpamcxSUJpUzJTYVl6bEVHTkNGbTAwaUQxbVBxR0FHeUJ5dVVOUnQr?= =?utf-8?B?czVqTDIrZjZlcjVkMHJyWTVsbWFzMUdPbi9WRkpkMXlaSHh6N0NXSldRRlFn?= =?utf-8?B?QmVTL1hCNXgyeDFpNml5anorSkNhS3lqL2FUV08yUjVLSE1DbFMyM0p6Y09T?= =?utf-8?B?Q3BqT29lZGxLV3ZOZ0IvT1FqNDByK2tUd0lCenQvNVZjekZGaDJlMzRrOEJ0?= =?utf-8?B?dXdtTVRzU1czRVEzTVBXc0syQlExWld1Q1FmMXFSYTl4SFc1WCtqbEtTMGlH?= =?utf-8?B?Qjc0U2o4aityTllLWGd1bXlma051VVRmanRYUVVQOEpmUS9RUnZMYUwrQnJ4?= =?utf-8?B?R0ZyUnoyQVZDamlyc3Q2MWNUWGFXSWt5MWUzNkltNDdoMytGK1JxUVRXcGxt?= =?utf-8?B?aXNvV0llbUErRW9LNVJyMlRjQWNMUFg4eTVaWWxzRHl4RUhqdHVKUkRldDVh?= =?utf-8?B?QksveWtZSW9YZEtZUnd2amZuRVN6YWE4TFNsaWlXV0FvcGNNNThMbFBheWhs?= =?utf-8?B?ZDlzK3hYRVppUVdmSUFKUGsxMVFUdFR6WU8yYXNaV3dwZDYwR2RJd1gwYkY2?= =?utf-8?B?WXk3Y1M4dkpPU1J6TlhhMUFTME9vTVh4cFZ0QUZPbEswSE1GMUI5OUppUkE5?= =?utf-8?B?cE5pY2tRcW1JY3BFWVphSW1wWWtzZUgwMkk4dWs2N0YyR0RYck5ZRkIwMldz?= =?utf-8?B?MFNTWlhabW9UVTZVbDk3R1FkMTg4WFdsT2FkbzZYRkZlZjRXaXNJQ2RNYmJN?= =?utf-8?B?NEYwYXNYUWJmNUI2K21SeXJvd0F1NHliRmx0WXBEZnczUlExWE5KTjYzdS83?= =?utf-8?B?K0VuQXlYSVpxTzNLaGhtTlF1a2lITnNmQlAxbXZHZ1ZGN2VTdCtMbmc0V1B6?= =?utf-8?B?czlJOHhHcnJPTTcxRFVQMDFDaHFvMkpFaWU2dzNldEQrSFdSYjEwTFZyYUtR?= =?utf-8?B?WXpNeGExVS9xaDJyN3U3UGh4ZGVTR3BzZGtJNXFwMTFDYVVFSys4Mm9MZ1lU?= =?utf-8?B?UFo4cXRoRU92aFNrZTlVbmRYSWRkYzRseVR4c25uY0hmV0tEU1Q2ekpnYzZL?= =?utf-8?B?eUNtV09qbnU2MzFndi8xeFZ4S0l2MFQwTFdpbGt6OFVwaUxjVlJKSUpxaHJD?= =?utf-8?B?K01UTnhZbzBmbEdVMUZhMVRBcTlPYUh2SWx5NTBlMitObkplSTRyOXlneHVN?= =?utf-8?B?Ykg0eGpQWUdmTmNqWjlLSFdXMnRiVzJKQ2YvY1dpNUpsa3BDM0V0WkJsUUNT?= =?utf-8?B?V1RTWGFxOGgrVE04OXhsSEdpaUxDMlpQNytwYm9pNUxNTllBcnNHWDE1ZGdX?= =?utf-8?B?YkNZSWNWeXgyY200c1hTelRiRExXdHNBb2NZRXlQYzFZckIxNkZiK1k4SnZG?= =?utf-8?B?ak5nL09remZMR09RUEIxQWsvekJSVlJQNzFNMFVrRi9TTkxSdUY5My9mZUI4?= =?utf-8?B?dWVCZ2JUem13YTVrNlpWaHNvNERxRTc3V2dScGNqc1FWYlVwelc4WlVtZHN3?= =?utf-8?B?cWtNcXRnN3Q0SUJ3VXdCNXZCcEJqbUYySktvOEZueDhPTm5hSFhCZ2w2ZUFN?= =?utf-8?B?OGRWbTZzWjNYU2lFWmx2TkNmcStWOVVmTXMyZ0RTbS9HYSs2RjhDOWRMQ3dq?= =?utf-8?B?N0NYV3gzc0JnRVJSaENPWTBrRS80Q3d6aGZ5eU1kNUlRVytsNTQrZXVGdWxj?= =?utf-8?B?QlpWdGhDU2YrczljbDd0SVBhWE1kbjJlOWNrWG9lWkYyQndqTG1IZ0pnPT0=?= X-OriginatorOrg: outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: c5de8c52-d1b0-4538-0a2e-08dc818c5d3a X-MS-Exchange-CrossTenant-AuthSource: AS8P250MB0744.EURP250.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 31 May 2024 16:11:44.1649 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000 X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS1P250MB0555 Subject: Re: [FFmpeg-devel] [PATCH] lavc/vvc: Don't free uninitialised pic arrays X-BeenThere: ffmpeg-devel@ffmpeg.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: FFmpeg development discussions and patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: FFmpeg development discussions and patches Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: ffmpeg-devel-bounces@ffmpeg.org Sender: "ffmpeg-devel" Archived-At: List-Archive: List-Post: Frank Plowman: > The picture arrays are not initialised at the same time as the frame > context itself, but rather when the relevant frame begins being decoded. > As such, situations can arise where the frame context is being freed but > the picture arrays have not yet been initialised. This could lead to > various UB and ultimately crashes. Patch prevents this by adding an > initialised flag associated with the picture arrays. > > Signed-off-by: Frank Plowman > --- > libavcodec/vvc/dec.c | 7 +++++++ > libavcodec/vvc/dec.h | 2 ++ > 2 files changed, 9 insertions(+) > > diff --git a/libavcodec/vvc/dec.c b/libavcodec/vvc/dec.c > index e53ad4e607..32e5bc0cd8 100644 > --- a/libavcodec/vvc/dec.c > +++ b/libavcodec/vvc/dec.c > @@ -327,6 +327,9 @@ static void free_cus(VVCFrameContext *fc) > > static void pic_arrays_free(VVCFrameContext *fc) > { > + if (!fc->tab.initialised) > + return; > + > free_cus(fc); > frame_context_for_each_tl(fc, tl_free); > ff_refstruct_pool_uninit(&fc->rpl_tab_pool); > @@ -380,6 +383,8 @@ static int pic_arrays_init(VVCContext *s, VVCFrameContext *fc) > fc->tab.sz.bs_width = (fc->ps.pps->width >> 2) + 1; > fc->tab.sz.bs_height = (fc->ps.pps->height >> 2) + 1; > > + fc->tab.initialised = 1; > + > return 0; > } > > @@ -627,6 +632,8 @@ static av_cold int frame_context_init(VVCFrameContext *fc, AVCodecContext *avctx > if (!fc->tu_pool) > return AVERROR(ENOMEM); > > + fc->tab.initialised = 0; > + > return 0; > } > > diff --git a/libavcodec/vvc/dec.h b/libavcodec/vvc/dec.h > index 1e0b76f283..1721ba3a15 100644 > --- a/libavcodec/vvc/dec.h > +++ b/libavcodec/vvc/dec.h > @@ -212,6 +212,8 @@ typedef struct VVCFrameContext { > int bs_height; > int ibc_buffer_width; ///< IbcBufWidth > } sz; > + > + int initialised; > } tab; > } VVCFrameContext; > This will lead to leaks when an error happens in pic_arrays_init() after some allocations succeeded. - Andreas _______________________________________________ ffmpeg-devel mailing list ffmpeg-devel@ffmpeg.org https://ffmpeg.org/mailman/listinfo/ffmpeg-devel To unsubscribe, visit link above, or email ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".