rv34: set mb_num_left to 0 after finishing a frame

Prevents running error resilience on a previous frame which will write
to the pic->mb_type[] array of the previous image. The array might
already be re-used for a new image in a subsequent thread, thus cause
two threads to write to the same pic->mb_type[] array, causing a race
condition which can crash in rv34_decode_cbp(), called by
rv34_decode_inter_mb_header() (which accesses mb_type[] twice,
assuming values are maintained, which the race condition breaks).

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
CC: libav-stable@libav.org

diff --git a/libavcodec/rv34.c b/libavcodec/rv34.c
index da5d437b076b0e835247f8f52cace5eef55c59c8..b366ead7761317b9335be64904111e5ee2de0f36 100644 (file)
--- a/libavcodec/rv34.c
+++ b/libavcodec/rv34.c
@@ -1576,6 +1576,7 @@ static int finish_frame(AVCodecContext *avctx, AVFrame *pict)
 
     ff_er_frame_end(s);
     ff_MPV_frame_end(s);
+    s->mb_num_left = 0;
 
     if (HAVE_THREADS && (s->avctx->active_thread_type & FF_THREAD_FRAME))
         ff_thread_report_progress(&s->current_picture_ptr->f, INT_MAX, 0);
@@ -1774,6 +1775,7 @@ int ff_rv34_decode_frame(AVCodecContext *avctx,
              * only complete frames */
             ff_er_frame_end(s);
             ff_MPV_frame_end(s);
+            s->mb_num_left = 0;
             ff_thread_report_progress(&s->current_picture_ptr->f, INT_MAX, 0);
             return AVERROR_INVALIDDATA;
         }