mpeg4dec: Ensure data is not clobbered too early.

Avoid overwriting the bitstream buffer data before we
have ended processing the frame.
This is necessary to fix hwaccels which might try to use
the buffer during the end_frame call.
I am not sure but it is possible this could even trigger
a use-after-free if the av_fast_malloc allocated a new buffer.
This would require that decode_slice did not wind the bitstream
forward all the way to the end, which does not currently happen in
normal streams.

Signed-off-by: Reimar Döffinger <Reimar.Doeffinger@gmx.de>

1 files changed, 12 insertions, 11 deletions

diff --git a/libavcodec/h263dec.c b/libavcodec/h263dec.c
index 626be97357..52ab7797f3 100644
--- a/libavcodec/h263dec.c
+++ b/libavcodec/h263dec.c
@@ -672,7 +672,7 @@ retry:
     if (CONFIG_WMV2_DECODER && s->msmpeg4_version==5){
         ret = ff_wmv2_decode_secondary_picture_header(s);
         if(ret<0) return ret;
-        if(ret==1) goto intrax8_decoded;
+        if(ret==1) goto frame_end;
     }
 
     /* decode each macroblock */
@@ -705,7 +705,18 @@ retry:
 
     av_assert1(s->bitstream_buffer_size==0);
 frame_end:
+    ff_er_frame_end(&s->er);
+
+    if (avctx->hwaccel) {
+        if ((ret = avctx->hwaccel->end_frame(avctx)) < 0)
+            return ret;
+    }
+
+    ff_MPV_frame_end(s);
+
     /* divx 5.01+ bitstream reorder stuff */
+    /* Since this clobbers the input buffer and hwaccel codecs still need the
+     * data during hwaccel->end_frame we should not do this any earlier */
     if(s->codec_id==AV_CODEC_ID_MPEG4 && s->divx_packed){
         int current_pos= s->gb.buffer == s->bitstream_buffer ? 0 : (get_bits_count(&s->gb)>>3);
         int startcode_found=0;
@@ -732,16 +743,6 @@ frame_end:
         }
     }
 
-intrax8_decoded:
-    ff_er_frame_end(&s->er);
-
-    if (avctx->hwaccel) {
-        if ((ret = avctx->hwaccel->end_frame(avctx)) < 0)
-            return ret;
-    }
-
-    ff_MPV_frame_end(s);
-
     if (!s->divx_packed && avctx->hwaccel)
         ff_thread_finish_setup(avctx);