diff options
| author | marcheu@chromium.org <marcheu@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2012-08-21 04:45:04 +0000 |
|---|---|---|
| committer | marcheu@chromium.org <marcheu@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2012-08-21 04:45:04 +0000 |
| commit | 89c80cee1a98aed1d48cb00c169de95a39fc28cb (patch) | |
| tree | b36e647e745212e60ec2e8d98e0121aaa3cddb7d /content | |
| parent | bfb0e40d7cc3aa69cf36b41fb9132811b85f27aa (diff) | |
| download | chromium_src-89c80cee1a98aed1d48cb00c169de95a39fc28cb.zip chromium_src-89c80cee1a98aed1d48cb00c169de95a39fc28cb.tar.gz chromium_src-89c80cee1a98aed1d48cb00c169de95a39fc28cb.tar.bz2 | |
VAVDA: Properly size the picture vector before using it
Otherwise this causes memory corruption, which eventually makes the GPU
process crash, usually inside tcmalloc functions.
BUG=chromium:142452
TEST=by hand, attach gdb to the gpu process, navigate to
TEST=http://www.apple.com/html5/showcase/video/ and press reload multiple
TEST=times
Change-Id: Ia6040e73eed7307c79f06bfff1514eef8bb4f2ed
Review URL: https://chromiumcodereview.appspot.com/10834411
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@152509 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'content')
| -rw-r--r-- | content/common/gpu/media/vaapi_h264_decoder.cc | 15 |
1 files changed, 10 insertions, 5 deletions
diff --git a/content/common/gpu/media/vaapi_h264_decoder.cc b/content/common/gpu/media/vaapi_h264_decoder.cc index 02ad4e2..5bc6c24 100644 --- a/content/common/gpu/media/vaapi_h264_decoder.cc +++ b/content/common/gpu/media/vaapi_h264_decoder.cc @@ -1355,15 +1355,20 @@ int VaapiH264Decoder::LongTermPicNumF(H264Picture *pic) { // Shift elements on the |v| starting from |from| to |to|, inclusive, // one position to the right and insert pic at |from|. -static void ShiftRightAndInsert(H264Picture::PtrVector& v, +static void ShiftRightAndInsert(H264Picture::PtrVector *v, int from, int to, H264Picture* pic) { DCHECK(pic); + DCHECK((to + 1 == static_cast<int>(v->size())) || + (to + 2 == static_cast<int>(v->size()))); + + v->resize(to + 2); + for (int i = to + 1; i > from; --i) - v[i] = v[i - 1]; + (*v)[i] = (*v)[i - 1]; - v[from] = pic; + (*v)[from] = pic; } bool VaapiH264Decoder::ModifyReferencePicList(H264SliceHeader *slice_hdr, @@ -1439,7 +1444,7 @@ bool VaapiH264Decoder::ModifyReferencePicList(H264SliceHeader *slice_hdr, DVLOG(1) << "Malformed stream, no pic num " << pic_num_lx; return false; } - ShiftRightAndInsert(*ref_pic_listx, ref_idx_lx, + ShiftRightAndInsert(ref_pic_listx, ref_idx_lx, num_ref_idx_lX_active_minus1, pic); ref_idx_lx++; @@ -1459,7 +1464,7 @@ bool VaapiH264Decoder::ModifyReferencePicList(H264SliceHeader *slice_hdr, DVLOG(1) << "Malformed stream, no pic num " << pic_num_lx; return false; } - ShiftRightAndInsert(*ref_pic_listx, ref_idx_lx, + ShiftRightAndInsert(ref_pic_listx, ref_idx_lx, num_ref_idx_lX_active_minus1, pic); ref_idx_lx++; |