[Ffmpeg-devel] [PATCH] h264 crashes dues to uninitialized context

[Reimar Doeffinger]

Hello,
testing the "fuzzer" samples I came about these to things that I suppose
are bugs: On size change, the context is freed, but context_initialized is
not set to 0 again.
2) NAL_DPC calls decode_slice which uses dps->clear_blocks, but does not
check if this is initialized yet.

Greetings,
Reimar Doeffinger
-------------- next part --------------
Index: libavcodec/h264.c
===================================================================
--- libavcodec/h264.c	(revision 7541)
+++ libavcodec/h264.c	(working copy)
@@ -4542,6 +4543,7 @@
         && (   s->width != s->avctx->width || s->height != s->avctx->height)) {
         free_tables(h);
         MPV_common_end(s);
+        s->context_initialized = 0;
     }
     if (!s->context_initialized) {
         if (MPV_common_init(s) < 0)
@@ -8067,6 +8072,7 @@
             h->inter_gb_ptr= &h->inter_gb;
 
             if(h->redundant_pic_count==0 && h->intra_gb_ptr && s->data_partitioning
+               && s->context_initialized
                && s->hurry_up < 5
                && (avctx->skip_frame < AVDISCARD_NONREF || h->nal_ref_idc)
                && (avctx->skip_frame < AVDISCARD_BIDIR  || h->slice_type!=B_TYPE)