From c39e861a3d42c2beeae5d87fa8ddf87c36fac9b1 Mon Sep 17 00:00:00 2001 From: Lynne Date: Sun, 25 Jun 2023 02:42:29 +0200 Subject: [PATCH] vulkan_h264: check if slices_buf exists on end_frame The issue is that while decode_slice is guaranteed to never get called without start_frame, end_frame is not. Moreover, it is not guaranteed it won't be called twice. On a badly-broken sample, this is what happens, which leads to a segfault, as vp->slices_buf doesn't exist, as it has been handed off for decoding already and isn't owned by the frame. Return an error as it's indicative that it's a corrupt stream rather than just missing any slices. Prevents a segfault. --- libavcodec/vulkan_h264.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/libavcodec/vulkan_h264.c b/libavcodec/vulkan_h264.c index 089a181bb4..84bcef7933 100644 --- a/libavcodec/vulkan_h264.c +++ b/libavcodec/vulkan_h264.c @@ -520,6 +520,9 @@ static int vk_h264_end_frame(AVCodecContext *avctx) if (!hp->h264_pic_info.sliceCount) return 0; + if (!vp->slices_buf) + return AVERROR(EINVAL); + if (!dec->session_params) { int err = vk_h264_create_params(avctx, &dec->session_params); if (err < 0)