PR #20869 opened by frankplow URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20869 Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/20869.patch
Previously, we set s->slice_initialized to 0 to prevent other slice segments from depending on this slice segment only if hls_slice_header failed. If decode_slice fails for some other reason, however, before decode_slice_data is called to bring the context back into a consistent state, then slices could depend on this slice segment while it is in an invalid state. This can cause segmentation faults and other sorts of nastiness. Patch fixes this by always setting s->slice_initialized to 0 while the state is inconsistent. Resolves #11652. >From 59586a530a29b7f30c566fc8904c83e1053167bc Mon Sep 17 00:00:00 2001 From: Frank Plowman <[email protected]> Date: Sat, 8 Nov 2025 18:35:51 +0000 Subject: [PATCH] lavc/hevc: Fix usage of slice segment in invalid state Previously, we set s->slice_initialized to 0 to prevent other slice segments from depending on this slice segment only if hls_slice_header failed. If decode_slice fails for some other reason, however, before decode_slice_data is called to bring the context back into a consistent state, then slices could depend on this slice segment while it is in an invalid state. This can cause segmentation faults and other sorts of nastiness. Patch fixes this by always setting s->slice_initialized to 0 while the state is inconsistent. Resolves #11652. --- libavcodec/hevc/hevcdec.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/libavcodec/hevc/hevcdec.c b/libavcodec/hevc/hevcdec.c index 8d432a9a1f..74b4a4c046 100644 --- a/libavcodec/hevc/hevcdec.c +++ b/libavcodec/hevc/hevcdec.c @@ -3544,10 +3544,12 @@ static int decode_slice(HEVCContext *s, unsigned nal_idx, GetBitContext *gb) ret = hls_slice_header(&s->sh, s, gb); if (ret < 0) { - // hls_slice_header() does not cleanup on failure thus the state now is inconsistent so we cannot use it on dependent slices - s->slice_initialized = 0; return ret; } + // Once hls_slice_header has been called, the context is inconsistent with the slice header + // until the context is reinitialized according to the contents of the new slice header + // at the start of decode_slice_data. + s->slice_initialized = 0; if ((s->avctx->skip_frame >= AVDISCARD_BIDIR && s->sh.slice_type == HEVC_SLICE_B) || (s->avctx->skip_frame >= AVDISCARD_NONINTRA && s->sh.slice_type != HEVC_SLICE_I) || -- 2.49.1 _______________________________________________ ffmpeg-devel mailing list -- [email protected] To unsubscribe send an email to [email protected]
