Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(95)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: chromium/patches/to_upstream/46_vp3_fix_double_free_invalid_read.patch

Issue 9290059: Initial commit of all previous Chrome build scripts. (Closed) Base URL: http://git.chromium.org/chromium/third_party/ffmpeg.git@master
Patch Set: Drop deprecated subfolder. Created 8 years, 11 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « chromium/patches/to_upstream/45_mkv_fix_segmap_cache_overflow.patch ('k') | chromium/patches/to_upstream/47_vp3_fix_infloop_and_memleak.patch » ('j') | codereview.settings » ('J')
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
(Empty)
1 From 7aa2c320924b41edd5ba8be5dfdcb521f7f42a48 Mon Sep 17 00:00:00 2001
2 From: "Ronald S. Bultje" <rsbultje@gmail.com>
3 Date: Thu, 20 Oct 2011 17:25:53 -0700
4 Subject: [PATCH] vp3: fix double free and invalid read.
5
6 If token < 0, we read invalid memory. Also, if the last decoding
7 iteration before codec close had an error, we didn't sync the frame
8 list and may end up free()'ing e.g. what was "last" for one thread
9 and "current" for another thread, i.e. double free(). Thus, on error,
10 simply erase the framelist.
11 ---
12 libavcodec/vp3.c | 13 ++++++++-----
13 1 files changed, 8 insertions(+), 5 deletions(-)
14
15 diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c
16 index 9262c27..62acabf 100644
17 --- a/libavcodec/vp3.c
18 +++ b/libavcodec/vp3.c
19 @@ -890,7 +890,7 @@ static int unpack_vlcs(Vp3DecodeContext *s, GetBitContext *g b,
20 /* decode a VLC into a token */
21 token = get_vlc2(gb, vlc_table, 11, 3);
22 /* use the token to get a zero run, a coefficient, and an eob run * /
23 - if (token <= 6) {
24 + if ((unsigned) token <= 6U) {
25 eob_run = eob_run_base[token];
26 if (eob_run_get_bits[token])
27 eob_run += get_bits(gb, eob_run_get_bits[token]);
28 @@ -908,7 +908,7 @@ static int unpack_vlcs(Vp3DecodeContext *s, GetBitContext *g b,
29 coeff_i += eob_run;
30 eob_run = 0;
31 }
32 - } else {
33 + } else if (token >= 0) {
34 bits_to_get = coeff_get_bits[token];
35 if (bits_to_get)
36 bits_to_get = get_bits(gb, bits_to_get);
37 @@ -1777,10 +1777,15 @@ static int vp3_update_thread_context(AVCodecContext *dst , const AVCodecContext *
38 Vp3DecodeContext *s = dst->priv_data, *s1 = src->priv_data;
39 int qps_changed = 0, i, err;
40
41 +#define copy_fields(to, from, start_field, end_field) memcpy(&to->start_field, &from->start_field, (char*)&to->end_field - (char*)&to->start_field)
42 +
43 if (!s1->current_frame.data[0]
44 ||s->width != s1->width
45 - ||s->height!= s1->height)
46 + ||s->height!= s1->height) {
47 + if (s != s1)
48 + copy_fields(s, s1, golden_frame, current_frame);
49 return -1;
50 + }
51
52 if (s != s1) {
53 // init tables if the first frame hasn't been decoded
54 @@ -1796,8 +1801,6 @@ static int vp3_update_thread_context(AVCodecContext *dst, const AVCodecContext *
55 memcpy(s->motion_val[1], s1->motion_val[1], c_fragment_count * size of(*s->motion_val[1]));
56 }
57
58 -#define copy_fields(to, from, start_field, end_field) memcpy(&to->start_field, &from->start_field, (char*)&to->end_field - (char*)&to->start_field)
59 -
60 // copy previous frame data
61 copy_fields(s, s1, golden_frame, dsp);
62
63 --
64 1.7.6
65
OLDNEW
« no previous file with comments | « chromium/patches/to_upstream/45_mkv_fix_segmap_cache_overflow.patch ('k') | chromium/patches/to_upstream/47_vp3_fix_infloop_and_memleak.patch » ('j') | codereview.settings » ('J')

Powered by Google App Engine
This is Rietveld 408576698