summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorwm4 <wm4@nowhere>2018-03-13 10:33:37 +0100
committerKevin Mitchell <kevmitch@gmail.com>2018-03-15 23:13:53 -0700
commite1b4e5e727eacf8c5cc6af087af6757019175163 (patch)
tree6d203f956c710b5394ac403def74a6bfc0fd5163
parent38e5b141c69526808ed23807cc1012ea0c7630c0 (diff)
downloadmpv-e1b4e5e727eacf8c5cc6af087af6757019175163.tar.bz2
mpv-e1b4e5e727eacf8c5cc6af087af6757019175163.tar.xz
mp_image: fix UB with certain callers like vf_vdpaupp
vf_vdpaupp crashed on certain files (with --hwdec=vdpau --deinterlace). This happened for example with mpeg2 files, which for some reason typically contain some AVFrame side data. It turns out the last change in 55c88fdb8f1a9269 was not quite clean, and forgot the special cases in mp_image_new_dummy_ref(). This function is supposed to copy all metadata from the argument passed, except buffer refs. But there were new buffer refs, that were not cleared properly. Also, the ff_side_data pointer must be cleared, or the new mp_image would try to free it on destruction. The bottom line is that mp_image_new_dummy_ref() is a pretty bad idea, and I suppose all callers with non-NULL arguments should be changed to create a blank mp_image, and copy frame properties as needed (this includes callers of mp_image_new_custom_ref()). Fixes #5630.
-rw-r--r--video/mp_image.c4
1 files changed, 4 insertions, 0 deletions
diff --git a/video/mp_image.c b/video/mp_image.c
index 108dba6545..a78aa19373 100644
--- a/video/mp_image.c
+++ b/video/mp_image.c
@@ -369,6 +369,10 @@ struct mp_image *mp_image_new_dummy_ref(struct mp_image *img)
for (int p = 0; p < MP_MAX_PLANES; p++)
new->bufs[p] = NULL;
new->hwctx = NULL;
+ new->icc_profile = NULL;
+ new->a53_cc = NULL;
+ new->num_ff_side_data = 0;
+ new->ff_side_data = NULL;
return new;
}