From: Dirk Farin Date: Fri, 4 May 2018 14:30:37 +0000 (+0200) Subject: [PATCH] reference PPS from slice by shared_ptr to prevent usage after deallocation X-Git-Tag: archive/raspbian/1.0.3-1+rpi1+deb10u3^2~1 X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=9cd8df7ab5c637cc0c0969f86439397fcf3c2cd0;p=libde265.git [PATCH] reference PPS from slice by shared_ptr to prevent usage after deallocation Gbp-Pq: Name fix-use-after-free.patch --- diff --git a/libde265/decctx.h b/libde265/decctx.h index 5e074c3..aa9812b 100644 --- a/libde265/decctx.h +++ b/libde265/decctx.h @@ -306,6 +306,8 @@ class decoder_context : public base_context { /* */ pic_parameter_set* get_pps(int id) { return pps[id].get(); } const pic_parameter_set* get_pps(int id) const { return pps[id].get(); } + std::shared_ptr get_shared_pps(int id) { return pps[id]; } + /* const slice_segment_header* get_SliceHeader_atCtb(int ctb) { return img->slices[img->get_SliceHeaderIndex_atIndex(ctb)]; diff --git a/libde265/encoder/encoder-context.cc b/libde265/encoder/encoder-context.cc index 87f03e8..bb045d6 100644 --- a/libde265/encoder/encoder-context.cc +++ b/libde265/encoder/encoder-context.cc @@ -267,7 +267,7 @@ de265_error encoder_context::encode_picture_from_input_buffer() imgdata->shdr.slice_loop_filter_across_slices_enabled_flag = false; imgdata->shdr.compute_derived_values(pps.get()); - imgdata->shdr.pps = &get_pps(); + imgdata->shdr.pps = pps; //shdr.slice_pic_order_cnt_lsb = poc & 0xFF; diff --git a/libde265/motion.cc b/libde265/motion.cc index 67a36a4..9b22d75 100644 --- a/libde265/motion.cc +++ b/libde265/motion.cc @@ -290,7 +290,7 @@ void generate_inter_prediction_samples(base_context* ctx, void* pixels[3]; int stride[3]; - const pic_parameter_set* pps = shdr->pps; + const pic_parameter_set* pps = shdr->pps.get(); const seq_parameter_set* sps = &img->get_sps(); const int SubWidthC = sps->SubWidthC; diff --git a/libde265/slice.cc b/libde265/slice.cc index 1b01dbd..37da4e3 100644 --- a/libde265/slice.cc +++ b/libde265/slice.cc @@ -384,7 +384,7 @@ de265_error slice_segment_header::read(bitreader* br, decoder_context* ctx, return DE265_OK; } - pps = ctx->get_pps(slice_pic_parameter_set_id); + pps = ctx->get_shared_pps(slice_pic_parameter_set_id); const seq_parameter_set* sps = pps->sps; if (!sps->sps_read) { @@ -872,7 +872,7 @@ de265_error slice_segment_header::read(bitreader* br, decoder_context* ctx, } - compute_derived_values(pps); + compute_derived_values(pps.get()); *continueDecoding = true; return DE265_OK; diff --git a/libde265/slice.h b/libde265/slice.h index 0232d0a..0f476f2 100644 --- a/libde265/slice.h +++ b/libde265/slice.h @@ -33,6 +33,7 @@ #include #include +#include #define MAX_NUM_REF_PICS 16 @@ -145,7 +146,7 @@ public: int slice_index; // index through all slices in a picture (internal only) - const pic_parameter_set* pps; + std::shared_ptr pps; char first_slice_segment_in_pic_flag;