File ffmpeg-CVE-2022-48434.patch of Package ffmpeg-4.27702

Overview Repositories Revisions Requests Users Attributes Meta

File ffmpeg-CVE-2022-48434.patch of Package ffmpeg-4.27702

diff --unified --recursive --text --new-file --color ffmpeg-4.4.old/libavcodec/pthread_frame.c ffmpeg-4.4.new/libavcodec/pthread_frame.c
--- ffmpeg-4.4.old/libavcodec/pthread_frame.c	2021-04-09 05:28:39.000000000 +0800
+++ ffmpeg-4.4.new/libavcodec/pthread_frame.c	2023-04-27 17:50:49.774581394 +0800
@@ -145,6 +145,12 @@
                                     * Set for the first N packets, where N is the number of threads.
                                     * While it is set, ff_thread_en/decode_frame won't return any results.
                                     */
+
+    /* hwaccel state is temporarily stored here in order to transfer its ownership
+     * to the next decoding thread without the need for extra synchronization */
+    const AVHWAccel *stash_hwaccel;
+    void            *stash_hwaccel_context;
+    void            *stash_hwaccel_priv;
 } FrameThreadContext;
 
 #if FF_API_THREAD_SAFE_CALLBACKS
@@ -229,9 +235,17 @@
             ff_thread_finish_setup(avctx);
 
         if (p->hwaccel_serializing) {
+            /* wipe hwaccel state to avoid stale pointers lying around;
+             * the state was transferred to FrameThreadContext in
+             * ff_thread_finish_setup(), so nothing is leaked */
+            avctx->hwaccel                     = NULL;
+            avctx->hwaccel_context             = NULL;
+            avctx->internal->hwaccel_priv_data = NULL;
+
             p->hwaccel_serializing = 0;
             pthread_mutex_unlock(&p->parent->hwaccel_mutex);
         }
+        av_assert0(!avctx->hwaccel);
 
         if (p->async_serializing) {
             p->async_serializing = 0;
@@ -293,14 +307,10 @@
         dst->color_range = src->color_range;
         dst->chroma_sample_location = src->chroma_sample_location;
 
-        dst->hwaccel = src->hwaccel;
-        dst->hwaccel_context = src->hwaccel_context;
-
         dst->channels       = src->channels;
         dst->sample_rate    = src->sample_rate;
         dst->sample_fmt     = src->sample_fmt;
         dst->channel_layout = src->channel_layout;
-        dst->internal->hwaccel_priv_data = src->internal->hwaccel_priv_data;
 
         if (!!dst->hw_frames_ctx != !!src->hw_frames_ctx ||
             (dst->hw_frames_ctx && dst->hw_frames_ctx->data != src->hw_frames_ctx->data)) {
@@ -444,6 +454,12 @@
             pthread_mutex_unlock(&p->mutex);
             return err;
         }
+
+        /* transfer hwaccel state stashed from previous thread, if any */
+        av_assert0(!p->avctx->hwaccel);
+        FFSWAP(const AVHWAccel*, p->avctx->hwaccel,                     fctx->stash_hwaccel);
+        FFSWAP(void*,            p->avctx->hwaccel_context,             fctx->stash_hwaccel_context);
+        FFSWAP(void*,            p->avctx->internal->hwaccel_priv_data, fctx->stash_hwaccel_priv);
     }
 
     av_packet_unref(p->avpkt);
@@ -649,6 +665,14 @@
         async_lock(p->parent);
     }
 
+    /* save hwaccel state for passing to the next thread;
+     * this is done here so that this worker thread can wipe its own hwaccel
+     * state after decoding, without requiring synchronization */
+    av_assert0(!p->parent->stash_hwaccel);
+    p->parent->stash_hwaccel         = avctx->hwaccel;
+    p->parent->stash_hwaccel_context = avctx->hwaccel_context;
+    p->parent->stash_hwaccel_priv    = avctx->internal->hwaccel_priv_data;
+
     pthread_mutex_lock(&p->progress_mutex);
     if(atomic_load(&p->state) == STATE_SETUP_FINISHED){
         av_log(avctx, AV_LOG_WARNING, "Multiple ff_thread_finish_setup() calls\n");
@@ -743,20 +767,6 @@
 
     park_frame_worker_threads(fctx, thread_count);
 
-    if (fctx->prev_thread && avctx->internal->hwaccel_priv_data !=
-                             fctx->prev_thread->avctx->internal->hwaccel_priv_data) {
-        if (update_context_from_thread(avctx, fctx->prev_thread->avctx, 1) < 0) {
-            av_log(avctx, AV_LOG_ERROR, "Failed to update user thread.\n");
-        }
-    }
-
-    if (fctx->prev_thread && fctx->prev_thread != fctx->threads)
-        if (update_context_from_thread(fctx->threads->avctx, fctx->prev_thread->avctx, 0) < 0) {
-            av_log(avctx, AV_LOG_ERROR, "Final thread update failed\n");
-            fctx->prev_thread->avctx->internal->is_copy = fctx->threads->avctx->internal->is_copy;
-            fctx->threads->avctx->internal->is_copy = 1;
-        }
-
     for (i = 0; i < thread_count; i++) {
         PerThreadContext *p = &fctx->threads[i];
         AVCodecContext *ctx = p->avctx;
@@ -803,6 +813,13 @@
     av_freep(&fctx->threads);
     free_pthread(fctx, thread_ctx_offsets);
 
+    /* if we have stashed hwaccel state, move it to the user-facing context,
+     * so it will be freed in avcodec_close() */
+    av_assert0(!avctx->hwaccel);
+    FFSWAP(const AVHWAccel*, avctx->hwaccel,                     fctx->stash_hwaccel);
+    FFSWAP(void*,            avctx->hwaccel_context,             fctx->stash_hwaccel_context);
+    FFSWAP(void*,            avctx->internal->hwaccel_priv_data, fctx->stash_hwaccel_priv);
+
     av_freep(&avctx->internal->thread_ctx);
 
     if (avctx->priv_data && avctx->codec && avctx->codec->priv_class)

Places

File ffmpeg-CVE-2022-48434.patch of Package ffmpeg-4.27702

Places