From e1b4e5e727eacf8c5cc6af087af6757019175163 Mon Sep 17 00:00:00 2001 From: wm4 Date: Tue, 13 Mar 2018 10:33:37 +0100 Subject: mp_image: fix UB with certain callers like vf_vdpaupp vf_vdpaupp crashed on certain files (with --hwdec=vdpau --deinterlace). This happened for example with mpeg2 files, which for some reason typically contain some AVFrame side data. It turns out the last change in 55c88fdb8f1a9269 was not quite clean, and forgot the special cases in mp_image_new_dummy_ref(). This function is supposed to copy all metadata from the argument passed, except buffer refs. But there were new buffer refs, that were not cleared properly. Also, the ff_side_data pointer must be cleared, or the new mp_image would try to free it on destruction. The bottom line is that mp_image_new_dummy_ref() is a pretty bad idea, and I suppose all callers with non-NULL arguments should be changed to create a blank mp_image, and copy frame properties as needed (this includes callers of mp_image_new_custom_ref()). Fixes #5630. --- video/mp_image.c | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'video') diff --git a/video/mp_image.c b/video/mp_image.c index 108dba6545..a78aa19373 100644 --- a/video/mp_image.c +++ b/video/mp_image.c @@ -369,6 +369,10 @@ struct mp_image *mp_image_new_dummy_ref(struct mp_image *img) for (int p = 0; p < MP_MAX_PLANES; p++) new->bufs[p] = NULL; new->hwctx = NULL; + new->icc_profile = NULL; + new->a53_cc = NULL; + new->num_ff_side_data = 0; + new->ff_side_data = NULL; return new; } -- cgit v1.2.3