1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
|
From d4b7b3c03ee2baf0166ce49dff17ec9beff684db Mon Sep 17 00:00:00 2001
From: Anton Khirnov <anton@khirnov.net>
Date: Fri, 2 Sep 2022 22:21:27 +0200
Subject: [PATCH] lavc/pthread_frame: avoid leaving stale hwaccel state in
worker threads
This state is not refcounted, so make sure it always has a well-defined
owner.
Remove the block added in 091341f2ab5bd35ca1a2aae90503adc74f8d3523, as
this commit also solves that issue in a more general way.
(cherry picked from commit cc867f2c09d2b69cee8a0eccd62aff002cbbfe11)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 35aa7e70e7ec350319e7634a30d8d8aa1e6ecdda)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
(cherry picked from commit 3bc28e9d1ab33627cea3c632dd6b0c33e22e93ba)
Signed-off-by: Anton Khirnov <anton@khirnov.net>
CVE: CVE-2022-48434
Upstream-Status: Backport [https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/d4b7b3c03ee2baf0166ce49dff17ec9beff684db]
Signed-off-by: Ranjitsinh Rathod ranjitsinh.rathod@kpit.com
Comment: Hunk#6 refreshed to backport changes and other to remove patch-fuzz warnings
---
libavcodec/pthread_frame.c | 46 +++++++++++++++++++++++++++++---------
1 file changed, 35 insertions(+), 11 deletions(-)
diff --git a/libavcodec/pthread_frame.c b/libavcodec/pthread_frame.c
index 36ac0ac..bbc5ba6 100644
--- a/libavcodec/pthread_frame.c
+++ b/libavcodec/pthread_frame.c
@@ -135,6 +135,12 @@ typedef struct FrameThreadContext {
* Set for the first N packets, where N is the number of threads.
* While it is set, ff_thread_en/decode_frame won't return any results.
*/
+
+ /* hwaccel state is temporarily stored here in order to transfer its ownership
+ * to the next decoding thread without the need for extra synchronization */
+ const AVHWAccel *stash_hwaccel;
+ void *stash_hwaccel_context;
+ void *stash_hwaccel_priv;
} FrameThreadContext;
#define THREAD_SAFE_CALLBACKS(avctx) \
@@ -211,9 +217,17 @@ static attribute_align_arg void *frame_worker_thread(void *arg)
ff_thread_finish_setup(avctx);
if (p->hwaccel_serializing) {
+ /* wipe hwaccel state to avoid stale pointers lying around;
+ * the state was transferred to FrameThreadContext in
+ * ff_thread_finish_setup(), so nothing is leaked */
+ avctx->hwaccel = NULL;
+ avctx->hwaccel_context = NULL;
+ avctx->internal->hwaccel_priv_data = NULL;
+
p->hwaccel_serializing = 0;
pthread_mutex_unlock(&p->parent->hwaccel_mutex);
}
+ av_assert0(!avctx->hwaccel);
if (p->async_serializing) {
p->async_serializing = 0;
@@ -275,14 +289,10 @@ static int update_context_from_thread(AVCodecContext *dst, AVCodecContext *src,
dst->color_range = src->color_range;
dst->chroma_sample_location = src->chroma_sample_location;
- dst->hwaccel = src->hwaccel;
- dst->hwaccel_context = src->hwaccel_context;
-
dst->channels = src->channels;
dst->sample_rate = src->sample_rate;
dst->sample_fmt = src->sample_fmt;
dst->channel_layout = src->channel_layout;
- dst->internal->hwaccel_priv_data = src->internal->hwaccel_priv_data;
if (!!dst->hw_frames_ctx != !!src->hw_frames_ctx ||
(dst->hw_frames_ctx && dst->hw_frames_ctx->data != src->hw_frames_ctx->data)) {
@@ -415,6 +425,12 @@ static int submit_packet(PerThreadContext *p, AVCodecContext *user_avctx,
pthread_mutex_unlock(&p->mutex);
return err;
}
+
+ /* transfer hwaccel state stashed from previous thread, if any */
+ av_assert0(!p->avctx->hwaccel);
+ FFSWAP(const AVHWAccel*, p->avctx->hwaccel, fctx->stash_hwaccel);
+ FFSWAP(void*, p->avctx->hwaccel_context, fctx->stash_hwaccel_context);
+ FFSWAP(void*, p->avctx->internal->hwaccel_priv_data, fctx->stash_hwaccel_priv);
}
av_packet_unref(&p->avpkt);
@@ -616,6 +632,14 @@ void ff_thread_finish_setup(AVCodecContext *avctx) {
async_lock(p->parent);
}
+ /* save hwaccel state for passing to the next thread;
+ * this is done here so that this worker thread can wipe its own hwaccel
+ * state after decoding, without requiring synchronization */
+ av_assert0(!p->parent->stash_hwaccel);
+ p->parent->stash_hwaccel = avctx->hwaccel;
+ p->parent->stash_hwaccel_context = avctx->hwaccel_context;
+ p->parent->stash_hwaccel_priv = avctx->internal->hwaccel_priv_data;
+
pthread_mutex_lock(&p->progress_mutex);
if(atomic_load(&p->state) == STATE_SETUP_FINISHED){
av_log(avctx, AV_LOG_WARNING, "Multiple ff_thread_finish_setup() calls\n");
@@ -657,13 +681,6 @@ void ff_frame_thread_free(AVCodecContext *avctx, int thread_count)
park_frame_worker_threads(fctx, thread_count);
- if (fctx->prev_thread && fctx->prev_thread != fctx->threads)
- if (update_context_from_thread(fctx->threads->avctx, fctx->prev_thread->avctx, 0) < 0) {
- av_log(avctx, AV_LOG_ERROR, "Final thread update failed\n");
- fctx->prev_thread->avctx->internal->is_copy = fctx->threads->avctx->internal->is_copy;
- fctx->threads->avctx->internal->is_copy = 1;
- }
-
for (i = 0; i < thread_count; i++) {
PerThreadContext *p = &fctx->threads[i];
@@ -713,6 +730,13 @@ void ff_frame_thread_free(AVCodecContext *avctx, int thread_count)
pthread_mutex_destroy(&fctx->async_mutex);
pthread_cond_destroy(&fctx->async_cond);
+ /* if we have stashed hwaccel state, move it to the user-facing context,
+ * so it will be freed in avcodec_close() */
+ av_assert0(!avctx->hwaccel);
+ FFSWAP(const AVHWAccel*, avctx->hwaccel, fctx->stash_hwaccel);
+ FFSWAP(void*, avctx->hwaccel_context, fctx->stash_hwaccel_context);
+ FFSWAP(void*, avctx->internal->hwaccel_priv_data, fctx->stash_hwaccel_priv);
+
av_freep(&avctx->internal->thread_ctx);
if (avctx->priv_data && avctx->codec && avctx->codec->priv_class)
--
2.25.1
|
