1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
|
From e40c964a0678908e2c756741343ed50d6a99ee12 Mon Sep 17 00:00:00 2001
From: Anton Khirnov <anton@khirnov.net>
Date: Fri, 28 Apr 2023 11:45:30 +0000
Subject: [PATCH] lavc/pthread_frame: avoid leaving stale hwaccel state in
worker threads
This state is not refcounted, so make sure it always has a well-defined
owner.
Remove the block added in 091341f, as
this commit also solves that issue in a more general way.
CVE:CVE-2022-48434
Upstream-Status: Backport [https://github.com/FFmpeg/FFmpeg/commit/cc867f2c09d2b69cee8a0eccd62aff002cbbfe11]
Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
---
libavcodec/pthread_frame.c | 46 +++++++++++++++++++++++++++++---------
1 file changed, 35 insertions(+), 11 deletions(-)
diff --git a/libavcodec/pthread_frame.c b/libavcodec/pthread_frame.c
index 85a6bc9..e40dced 100644
--- a/libavcodec/pthread_frame.c
+++ b/libavcodec/pthread_frame.c
@@ -145,6 +145,12 @@ typedef struct FrameThreadContext {
* Set for the first N packets, where N is the number of threads.
* While it is set, ff_thread_en/decode_frame won't return any results.
*/
+
+ /* hwaccel state is temporarily stored here in order to transfer its ownership
+ * to the next decoding thread without the need for extra synchronization */
+ const AVHWAccel *stash_hwaccel;
+ void *stash_hwaccel_context;
+ void *stash_hwaccel_priv;
} FrameThreadContext;
#if FF_API_THREAD_SAFE_CALLBACKS
@@ -229,9 +235,17 @@ FF_ENABLE_DEPRECATION_WARNINGS
ff_thread_finish_setup(avctx);
if (p->hwaccel_serializing) {
+ /* wipe hwaccel state to avoid stale pointers lying around;
+ * the state was transferred to FrameThreadContext in
+ * ff_thread_finish_setup(), so nothing is leaked */
+ avctx->hwaccel = NULL;
+ avctx->hwaccel_context = NULL;
+ avctx->internal->hwaccel_priv_data = NULL;
+
p->hwaccel_serializing = 0;
pthread_mutex_unlock(&p->parent->hwaccel_mutex);
}
+ av_assert0(!avctx->hwaccel);
if (p->async_serializing) {
p->async_serializing = 0;
@@ -294,14 +308,10 @@ static int update_context_from_thread(AVCodecContext *dst, AVCodecContext *src,
dst->color_range = src->color_range;
dst->chroma_sample_location = src->chroma_sample_location;
- dst->hwaccel = src->hwaccel;
- dst->hwaccel_context = src->hwaccel_context;
-
dst->channels = src->channels;
dst->sample_rate = src->sample_rate;
dst->sample_fmt = src->sample_fmt;
dst->channel_layout = src->channel_layout;
- dst->internal->hwaccel_priv_data = src->internal->hwaccel_priv_data;
if (!!dst->hw_frames_ctx != !!src->hw_frames_ctx ||
(dst->hw_frames_ctx && dst->hw_frames_ctx->data != src->hw_frames_ctx->data)) {
@@ -442,6 +452,12 @@ static int submit_packet(PerThreadContext *p, AVCodecContext *user_avctx,
pthread_mutex_unlock(&p->mutex);
return err;
}
+
+ /* transfer hwaccel state stashed from previous thread, if any */
+ av_assert0(!p->avctx->hwaccel);
+ FFSWAP(const AVHWAccel*, p->avctx->hwaccel, fctx->stash_hwaccel);
+ FFSWAP(void*, p->avctx->hwaccel_context, fctx->stash_hwaccel_context);
+ FFSWAP(void*, p->avctx->internal->hwaccel_priv_data, fctx->stash_hwaccel_priv);
}
av_packet_unref(p->avpkt);
@@ -647,6 +663,14 @@ void ff_thread_finish_setup(AVCodecContext *avctx) {
async_lock(p->parent);
}
+ /* save hwaccel state for passing to the next thread;
+ * this is done here so that this worker thread can wipe its own hwaccel
+ * state after decoding, without requiring synchronization */
+ av_assert0(!p->parent->stash_hwaccel);
+ p->parent->stash_hwaccel = avctx->hwaccel;
+ p->parent->stash_hwaccel_context = avctx->hwaccel_context;
+ p->parent->stash_hwaccel_priv = avctx->internal->hwaccel_priv_data;
+
pthread_mutex_lock(&p->progress_mutex);
if(atomic_load(&p->state) == STATE_SETUP_FINISHED){
av_log(avctx, AV_LOG_WARNING, "Multiple ff_thread_finish_setup() calls\n");
@@ -700,13 +724,6 @@ void ff_frame_thread_free(AVCodecContext *avctx, int thread_count)
park_frame_worker_threads(fctx, thread_count);
- if (fctx->prev_thread && avctx->internal->hwaccel_priv_data !=
- fctx->prev_thread->avctx->internal->hwaccel_priv_data) {
- if (update_context_from_thread(avctx, fctx->prev_thread->avctx, 1) < 0) {
- av_log(avctx, AV_LOG_ERROR, "Failed to update user thread.\n");
- }
- }
-
if (fctx->prev_thread && fctx->prev_thread != fctx->threads)
if (update_context_from_thread(fctx->threads->avctx, fctx->prev_thread->avctx, 0) < 0) {
av_log(avctx, AV_LOG_ERROR, "Final thread update failed\n");
@@ -760,6 +777,13 @@ void ff_frame_thread_free(AVCodecContext *avctx, int thread_count)
av_freep(&fctx->threads);
ff_pthread_free(fctx, thread_ctx_offsets);
+ /* if we have stashed hwaccel state, move it to the user-facing context,
+ * so it will be freed in avcodec_close() */
+ av_assert0(!avctx->hwaccel);
+ FFSWAP(const AVHWAccel*, avctx->hwaccel, fctx->stash_hwaccel);
+ FFSWAP(void*, avctx->hwaccel_context, fctx->stash_hwaccel_context);
+ FFSWAP(void*, avctx->internal->hwaccel_priv_data, fctx->stash_hwaccel_priv);
+
av_freep(&avctx->internal->thread_ctx);
}
--
2.40.0
|
