gst-ffmpeg: Add CVE patches

Security Advisory - ffmpeg - CVE-2013-0866 The aac_decode_init function in libavcodec/aacdec.c in FFmpeg before 1.0.4 and 1.1.x before 1.1.2 allows remote attackers to have an unspecified impact via a large number of channels in an AAC file, which triggers an out-of-bounds array access. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0866 gst-ffmpeg: Security Advisory - ffmpeg - CVE-2013-0875 The ff_add_png_paeth_prediction function in libavcodec/pngdec.c in FFmpeg before 1.1.3 allows remote attackers to have an unspecified impact via a crafted PNG image, related to an out-of-bounds array access. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0875 gst-ffmpeg: Security Advisory - ffmpeg - CVE-2013-0860 The ff_er_frame_end function in libavcodec/error_resilience.c in FFmpeg before 1.0.4 and 1.1.x before 1.1.1 does not properly verify that a frame is fully initialized, which allows remote attackers to trigger a NULL pointer dereference via crafted picture data. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0860 gst-ffmpeg: Security Advisory - ffmpeg - CVE-2011-3934 Double free vulnerability in the vp3_update_thread_context function in libavcodec/vp3.c in FFmpeg before 0.10 allows remote attackers to have an unspecified impact via crafted vp3 data. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3934 gst-ffmpeg: Security Advisory - ffmpeg - CVE-2011-3946 The ff_h264_decode_sei function in libavcodec/h264_sei.c in FFmpeg before 0.10 allows remote attackers to have an unspecified impact via crafted Supplemental enhancement information (SEI) data, which triggers an infinite loop. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3946 gst-ffmpeg: Security Advisory - ffmpeg - CVE-2013-7023 The ff_combine_frame function in libavcodec/parser.c in FFmpeg before 2.1 does not properly handle certain memory-allocation errors, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted data. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7023 gst-ffmpeg: Security Advisory - ffmpeg - CVE-2013-7009 The rpza_decode_stream function in libavcodec/rpza.c in FFmpeg before 2.1 does not properly maintain a pointer to pixel data, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted Apple RPZA data. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7009 gst-ffmpeg: Security Advisory - ffmpeg - CVE-2013-0855 Integer overflow in the alac_decode_close function in libavcodec/alac.c in FFmpeg before 1.1 allows remote attackers to have an unspecified impact via a large number of samples per frame in Apple Lossless Audio Codec (ALAC) data, which triggers an out-of-bounds array access. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0855 gst-ffmpeg: Security Advisory - ffmpeg - CVE-2011-4351 Buffer overflow in FFmpeg before 0.5.6, 0.6.x before 0.6.4, 0.7.x before 0.7.8, and 0.8.x before 0.8.8 allows remote attackers to execute arbitrary code via unspecified vectors. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4351 gst-ffmpeg: Security Advisory - ffmpeg - CVE-2013-0848 The decode_init function in libavcodec/huffyuv.c in FFmpeg before 1.1 allows remote attackers to have an unspecified impact via a crafted width in huffyuv data with the predictor set to median and the colorspace set to YUV422P, which triggers an out-of-bounds array access. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0848 gst-ffmpeg: Security Advisory - ffmpeg - CVE-2011-3944 The smacker_decode_header_tree function in libavcodec/smacker.c in FFmpeg before 0.10 allows remote attackers to have an unspecified impact via crafted Smacker data. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3944 file://0001-huffyuvdec-check-width-more-completely-avoid-out-of-.patch \ gst-ffmpeg: Security Advisory - ffmpeg - CVE-2013-7010 Multiple integer signedness errors in libavcodec/dsputil.c in FFmpeg before 2.1 allow remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted data. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7010 gst-ffmpeg: Security Advisory - ffmpeg - CVE-2011-3941 The decode_mb function in libavcodec/error_resilience.c in FFmpeg before 0.10 allows remote attackers to have an unspecified impact via vectors related to an uninitialized block index, which triggers an out-of-bound write. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3941 gst-ffmpeg: Security Advisory - ffmpeg - CVE-2013-0846 Array index error in the qdm2_decode_super_block function in libavcodec/qdm2.c in FFmpeg before 1.1 allows remote attackers to have an unspecified impact via crafted QDM2 data, which triggers an out-of-bounds array access. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0846 gst-ffmpeg: Security Advisory - ffmpeg - CVE-2012-6618 The av_probe_input_buffer function in libavformat/utils.c in FFmpeg before 1.0.2, when running with certain -probesize values, allows remote attackers to cause a denial of service (crash) via a crafted MP3 file, possibly related to frame size or lack of sufficient frames to estimate rate. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-6618 gst-ffmpeg: Security Advisory - ffmpeg - CVE-2012-6617 The prepare_sdp_description function in ffserver.c in FFmpeg before 1.0.2 allows remote attackers to cause a denial of service (crash) via vectors related to the rtp format. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-6617 (From OE-Core rev: 58f08a96764094189b5aaf3cc8b4cc0c95e23409) (From OE-Core rev: 9b3a2d0716540dae72376a8c2e418b244a85c0cb) Signed-off-by: Yue Tao <Yue.Tao@windriver.com> Signed-off-by: Roy Li <rongqing.li@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Yue Tao <Yue.Tao@windriver.com> 2014-07-22 15:46:36 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2014-10-10 15:06:06 +0100
commit: 90623776248e50a7a2b95247ba7b4aeac2dcbdc2 (patch)
tree: d04c5c3672b094e3cdc3a46dcb2f078fc34784c7 /meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-vp3-fix-oob-read-for-negative-tokens-and-memleaks-on.patch
parent: 014309709558c47e1b2ed4c79d79b5398201f5f4 (diff)
download: poky-90623776248e50a7a2b95247ba7b4aeac2dcbdc2.tar.gz
1 files changed, 183 insertions, 0 deletions
diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-vp3-fix-oob-read-for-negative-tokens-and-memleaks-on.patch b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-vp3-fix-oob-read-for-negative-tokens-and-memleaks-on.patch
new file mode 100644
index 0000000000..e83d8f402b
--- /dev/null
+++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-vp3-fix-oob-read-for-negative-tokens-and-memleaks-on.patch
@@ -0,0 +1,183 @@
+gst-ffmpeg: vp3: fix oob read for negative tokens and memleaks on error.
+Upstream-Status: Backport 
+Signed-off-by: Yue.Tao <yue.tao@windriver.com>
+---
+ libavcodec/vp3.c |   59 +++++++++++++++++++++++++++++++++++++++++------------
+ 1 files changed, 45 insertions(+), 14 deletions(-)
+diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c
+index 36715bb..ce14e63 100644
+--- a/gst-libs/ext/libav/libavcodec/vp3.c
+++ b/gst-libs/ext/libav/libavcodec/vp3.c
+@@ -45,6 +45,7 @@
+ #define FRAGMENT_PIXELS 8
+ 
+ static av_cold int vp3_decode_end(AVCodecContext *avctx);
+static void vp3_decode_flush(AVCodecContext *avctx);
+ 
+ //FIXME split things out into their own arrays
+ typedef struct Vp3Fragment {
+@@ -890,7 +891,7 @@ static int unpack_vlcs(Vp3DecodeContext *s, GetBitContext *gb,
+             /* decode a VLC into a token */
+             token = get_vlc2(gb, vlc_table, 11, 3);
+             /* use the token to get a zero run, a coefficient, and an eob run */
+-            if (token <= 6) {
+            if ((unsigned) token <= 6U) {
+                 eob_run = eob_run_base[token];
+                 if (eob_run_get_bits[token])
+                     eob_run += get_bits(gb, eob_run_get_bits[token]);
+@@ -908,7 +909,7 @@ static int unpack_vlcs(Vp3DecodeContext *s, GetBitContext *gb,
+                     coeff_i        += eob_run;
+                     eob_run = 0;
+                 }
+-            } else {
+            } else if (token >= 0) {
+                 bits_to_get = coeff_get_bits[token];
+                 if (bits_to_get)
+                     bits_to_get = get_bits(gb, bits_to_get);
+@@ -942,6 +943,10 @@ static int unpack_vlcs(Vp3DecodeContext *s, GetBitContext *gb,
+                 for (i = coeff_index+1; i <= coeff_index+zero_run; i++)
+                     s->num_coded_frags[plane][i]--;
+                 coeff_i++;
+            } else {
+                av_log(s->avctx, AV_LOG_ERROR,
+                       "Invalid token %d\n", token);
+                return -1;
+             }
+     }
+ 
+@@ -991,6 +996,8 @@ static int unpack_dct_coeffs(Vp3DecodeContext *s, GetBitContext *gb)
+     /* unpack the Y plane DC coefficients */
+     residual_eob_run = unpack_vlcs(s, gb, &s->dc_vlc[dc_y_table], 0,
+         0, residual_eob_run);
+    if (residual_eob_run < 0)
+        return residual_eob_run;
+ 
+     /* reverse prediction of the Y-plane DC coefficients */
+     reverse_dc_prediction(s, 0, s->fragment_width[0], s->fragment_height[0]);
+@@ -998,8 +1005,12 @@ static int unpack_dct_coeffs(Vp3DecodeContext *s, GetBitContext *gb)
+     /* unpack the C plane DC coefficients */
+     residual_eob_run = unpack_vlcs(s, gb, &s->dc_vlc[dc_c_table], 0,
+         1, residual_eob_run);
+    if (residual_eob_run < 0)
+        return residual_eob_run;
+     residual_eob_run = unpack_vlcs(s, gb, &s->dc_vlc[dc_c_table], 0,
+         2, residual_eob_run);
+    if (residual_eob_run < 0)
+        return residual_eob_run;
+ 
+     /* reverse prediction of the C-plane DC coefficients */
+     if (!(s->avctx->flags & CODEC_FLAG_GRAY))
+@@ -1036,11 +1047,17 @@ static int unpack_dct_coeffs(Vp3DecodeContext *s, GetBitContext *gb)
+     for (i = 1; i <= 63; i++) {
+             residual_eob_run = unpack_vlcs(s, gb, y_tables[i], i,
+                 0, residual_eob_run);
+            if (residual_eob_run < 0)
+                return residual_eob_run;
+ 
+             residual_eob_run = unpack_vlcs(s, gb, c_tables[i], i,
+                 1, residual_eob_run);
+            if (residual_eob_run < 0)
+                return residual_eob_run;
+             residual_eob_run = unpack_vlcs(s, gb, c_tables[i], i,
+                 2, residual_eob_run);
+            if (residual_eob_run < 0)
+                return residual_eob_run;
+     }
+ 
+     return 0;
+@@ -1777,10 +1794,15 @@ static int vp3_update_thread_context(AVCodecContext *dst, const AVCodecContext *
+     Vp3DecodeContext *s = dst->priv_data, *s1 = src->priv_data;
+     int qps_changed = 0, i, err;
+ 
+#define copy_fields(to, from, start_field, end_field) memcpy(&to->start_field, &from->start_field, (char*)&to->end_field - (char*)&to->start_field)
+
+     if (!s1->current_frame.data[0]
+         ||s->width != s1->width
+-        ||s->height!= s1->height)
+        ||s->height!= s1->height) {
+        if (s != s1)
+            copy_fields(s, s1, golden_frame, current_frame);
+         return -1;
+    }
+ 
+     if (s != s1) {
+         // init tables if the first frame hasn't been decoded
+@@ -1796,8 +1818,6 @@ static int vp3_update_thread_context(AVCodecContext *dst, const AVCodecContext *
+             memcpy(s->motion_val[1], s1->motion_val[1], c_fragment_count * sizeof(*s->motion_val[1]));
+         }
+ 
+-#define copy_fields(to, from, start_field, end_field) memcpy(&to->start_field, &from->start_field, (char*)&to->end_field - (char*)&to->start_field)
+-
+         // copy previous frame data
+         copy_fields(s, s1, golden_frame, dsp);
+ 
+@@ -1987,9 +2007,6 @@ static av_cold int vp3_decode_end(AVCodecContext *avctx)
+     Vp3DecodeContext *s = avctx->priv_data;
+     int i;
+ 
+-    if (avctx->is_copy && !s->current_frame.data[0])
+-        return 0;
+-
+     av_free(s->superblock_coding);
+     av_free(s->all_fragments);
+     av_free(s->coded_fragment_list[0]);
+@@ -2016,12 +2033,7 @@ static av_cold int vp3_decode_end(AVCodecContext *avctx)
+     free_vlc(&s->motion_vector_vlc);
+ 
+     /* release all frames */
+-    if (s->golden_frame.data[0])
+-        ff_thread_release_buffer(avctx, &s->golden_frame);
+-    if (s->last_frame.data[0] && s->last_frame.type != FF_BUFFER_TYPE_COPY)
+-        ff_thread_release_buffer(avctx, &s->last_frame);
+-    /* no need to release the current_frame since it will always be pointing
+-     * to the same frame as either the golden or last frame */
+    vp3_decode_flush(avctx);
+ 
+     return 0;
+ }
+@@ -2341,6 +2353,23 @@ static void vp3_decode_flush(AVCodecContext *avctx)
+         ff_thread_release_buffer(avctx, &s->current_frame);
+ }
+ 
+static int vp3_init_thread_copy(AVCodecContext *avctx)
+{
+    Vp3DecodeContext *s = avctx->priv_data;
+
+    s->superblock_coding      = NULL;
+    s->all_fragments          = NULL;
+    s->coded_fragment_list[0] = NULL;
+    s->dct_tokens_base        = NULL;
+    s->superblock_fragments   = NULL;
+    s->macroblock_coding      = NULL;
+    s->motion_val[0]          = NULL;
+    s->motion_val[1]          = NULL;
+    s->edge_emu_buffer        = NULL;
+
+    return 0;
+}
+
+ AVCodec ff_theora_decoder = {
+     .name           = "theora",
+     .type           = AVMEDIA_TYPE_VIDEO,
+@@ -2352,6 +2381,7 @@ AVCodec ff_theora_decoder = {
+     .capabilities   = CODEC_CAP_DR1 | CODEC_CAP_DRAW_HORIZ_BAND | CODEC_CAP_FRAME_THREADS,
+     .flush = vp3_decode_flush,
+     .long_name = NULL_IF_CONFIG_SMALL("Theora"),
+    .init_thread_copy      = ONLY_IF_THREADS_ENABLED(vp3_init_thread_copy),
+     .update_thread_context = ONLY_IF_THREADS_ENABLED(vp3_update_thread_context)
+ };
+ #endif
+@@ -2367,5 +2397,6 @@ AVCodec ff_vp3_decoder = {
+     .capabilities   = CODEC_CAP_DR1 | CODEC_CAP_DRAW_HORIZ_BAND | CODEC_CAP_FRAME_THREADS,
+     .flush = vp3_decode_flush,
+     .long_name = NULL_IF_CONFIG_SMALL("On2 VP3"),
+    .init_thread_copy      = ONLY_IF_THREADS_ENABLED(vp3_init_thread_copy),
+     .update_thread_context = ONLY_IF_THREADS_ENABLED(vp3_update_thread_context)
+ };
+-- 
+1.7.5.4
author	Yue Tao <Yue.Tao@windriver.com>	2014-07-22 15:46:36 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2014-10-10 15:06:06 +0100
commit	90623776248e50a7a2b95247ba7b4aeac2dcbdc2 (patch)
tree	d04c5c3672b094e3cdc3a46dcb2f078fc34784c7 /meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-vp3-fix-oob-read-for-negative-tokens-and-memleaks-on.patch
parent	014309709558c47e1b2ed4c79d79b5398201f5f4 (diff)
download	poky-90623776248e50a7a2b95247ba7b4aeac2dcbdc2.tar.gz

diff --git a/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-vp3-fix-oob-read-for-negative-tokens-and-memleaks-on.patch b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-vp3-fix-oob-read-for-negative-tokens-and-memleaks-on.patch new file mode 100644 index 0000000000..e83d8f402b --- /dev/null +++ b/meta/recipes-multimedia/gstreamer/gst-ffmpeg-0.10.13/0001-vp3-fix-oob-read-for-negative-tokens-and-memleaks-on.patch
@@ -0,0 +1,183 @@
	1	gst-ffmpeg: vp3: fix oob read for negative tokens and memleaks on error.
	2
	3	Upstream-Status: Backport
	4
	5	Signed-off-by: Yue.Tao <yue.tao@windriver.com>
	6
	7	---
	8	libavcodec/vp3.c \| 59 +++++++++++++++++++++++++++++++++++++++++------------
	9	1 files changed, 45 insertions(+), 14 deletions(-)
	10
	11	diff --git a/libavcodec/vp3.c b/libavcodec/vp3.c
	12	index 36715bb..ce14e63 100644
	13	--- a/gst-libs/ext/libav/libavcodec/vp3.c
	14	+++ b/gst-libs/ext/libav/libavcodec/vp3.c
	15	@@ -45,6 +45,7 @@
	16	#define FRAGMENT_PIXELS 8
	17
	18	static av_cold int vp3_decode_end(AVCodecContext *avctx);
	19	+static void vp3_decode_flush(AVCodecContext *avctx);
	20
	21	//FIXME split things out into their own arrays
	22	typedef struct Vp3Fragment {
	23	@@ -890,7 +891,7 @@ static int unpack_vlcs(Vp3DecodeContext s, GetBitContext gb,
	24	/* decode a VLC into a token */
	25	token = get_vlc2(gb, vlc_table, 11, 3);
	26	/* use the token to get a zero run, a coefficient, and an eob run */
	27	- if (token <= 6) {
	28	+ if ((unsigned) token <= 6U) {
	29	eob_run = eob_run_base[token];
	30	if (eob_run_get_bits[token])
	31	eob_run += get_bits(gb, eob_run_get_bits[token]);
	32	@@ -908,7 +909,7 @@ static int unpack_vlcs(Vp3DecodeContext s, GetBitContext gb,
	33	coeff_i += eob_run;
	34	eob_run = 0;
	35	}
	36	- } else {
	37	+ } else if (token >= 0) {
	38	bits_to_get = coeff_get_bits[token];
	39	if (bits_to_get)
	40	bits_to_get = get_bits(gb, bits_to_get);
	41	@@ -942,6 +943,10 @@ static int unpack_vlcs(Vp3DecodeContext s, GetBitContext gb,
	42	for (i = coeff_index+1; i <= coeff_index+zero_run; i++)
	43	s->num_coded_frags[plane][i]--;
	44	coeff_i++;
	45	+ } else {
	46	+ av_log(s->avctx, AV_LOG_ERROR,
	47	+ "Invalid token %d\n", token);
	48	+ return -1;
	49	}
	50	}
	51
	52	@@ -991,6 +996,8 @@ static int unpack_dct_coeffs(Vp3DecodeContext s, GetBitContext gb)
	53	/* unpack the Y plane DC coefficients */
	54	residual_eob_run = unpack_vlcs(s, gb, &s->dc_vlc[dc_y_table], 0,
	55	0, residual_eob_run);
	56	+ if (residual_eob_run < 0)
	57	+ return residual_eob_run;
	58
	59	/* reverse prediction of the Y-plane DC coefficients */
	60	reverse_dc_prediction(s, 0, s->fragment_width[0], s->fragment_height[0]);
	61	@@ -998,8 +1005,12 @@ static int unpack_dct_coeffs(Vp3DecodeContext s, GetBitContext gb)
	62	/* unpack the C plane DC coefficients */
	63	residual_eob_run = unpack_vlcs(s, gb, &s->dc_vlc[dc_c_table], 0,
	64	1, residual_eob_run);
	65	+ if (residual_eob_run < 0)
	66	+ return residual_eob_run;
	67	residual_eob_run = unpack_vlcs(s, gb, &s->dc_vlc[dc_c_table], 0,
	68	2, residual_eob_run);
	69	+ if (residual_eob_run < 0)
	70	+ return residual_eob_run;
	71
	72	/* reverse prediction of the C-plane DC coefficients */
	73	if (!(s->avctx->flags & CODEC_FLAG_GRAY))
	74	@@ -1036,11 +1047,17 @@ static int unpack_dct_coeffs(Vp3DecodeContext s, GetBitContext gb)
	75	for (i = 1; i <= 63; i++) {
	76	residual_eob_run = unpack_vlcs(s, gb, y_tables[i], i,
	77	0, residual_eob_run);
	78	+ if (residual_eob_run < 0)
	79	+ return residual_eob_run;
	80
	81	residual_eob_run = unpack_vlcs(s, gb, c_tables[i], i,
	82	1, residual_eob_run);
	83	+ if (residual_eob_run < 0)
	84	+ return residual_eob_run;
	85	residual_eob_run = unpack_vlcs(s, gb, c_tables[i], i,
	86	2, residual_eob_run);
	87	+ if (residual_eob_run < 0)
	88	+ return residual_eob_run;
	89	}
	90
	91	return 0;
	92	@@ -1777,10 +1794,15 @@ static int vp3_update_thread_context(AVCodecContext dst, const AVCodecContext
	93	Vp3DecodeContext s = dst->priv_data, s1 = src->priv_data;
	94	int qps_changed = 0, i, err;
	95
	96	+#define copy_fields(to, from, start_field, end_field) memcpy(&to->start_field, &from->start_field, (char)&to->end_field - (char)&to->start_field)
	97	+
	98	if (!s1->current_frame.data[0]
	99	\|\|s->width != s1->width
	100	- \|\|s->height!= s1->height)
	101	+ \|\|s->height!= s1->height) {
	102	+ if (s != s1)
	103	+ copy_fields(s, s1, golden_frame, current_frame);
	104	return -1;
	105	+ }
	106
	107	if (s != s1) {
	108	// init tables if the first frame hasn't been decoded
	109	@@ -1796,8 +1818,6 @@ static int vp3_update_thread_context(AVCodecContext dst, const AVCodecContext
	110	memcpy(s->motion_val[1], s1->motion_val[1], c_fragment_count * sizeof(*s->motion_val[1]));
	111	}
	112
	113	-#define copy_fields(to, from, start_field, end_field) memcpy(&to->start_field, &from->start_field, (char)&to->end_field - (char)&to->start_field)
	114	-
	115	// copy previous frame data
	116	copy_fields(s, s1, golden_frame, dsp);
	117
	118	@@ -1987,9 +2007,6 @@ static av_cold int vp3_decode_end(AVCodecContext *avctx)
	119	Vp3DecodeContext *s = avctx->priv_data;
	120	int i;
	121
	122	- if (avctx->is_copy && !s->current_frame.data[0])
	123	- return 0;
	124	-
	125	av_free(s->superblock_coding);
	126	av_free(s->all_fragments);
	127	av_free(s->coded_fragment_list[0]);
	128	@@ -2016,12 +2033,7 @@ static av_cold int vp3_decode_end(AVCodecContext *avctx)
	129	free_vlc(&s->motion_vector_vlc);
	130
	131	/* release all frames */
	132	- if (s->golden_frame.data[0])
	133	- ff_thread_release_buffer(avctx, &s->golden_frame);
	134	- if (s->last_frame.data[0] && s->last_frame.type != FF_BUFFER_TYPE_COPY)
	135	- ff_thread_release_buffer(avctx, &s->last_frame);
	136	- /* no need to release the current_frame since it will always be pointing
	137	- * to the same frame as either the golden or last frame */
	138	+ vp3_decode_flush(avctx);
	139
	140	return 0;
	141	}
	142	@@ -2341,6 +2353,23 @@ static void vp3_decode_flush(AVCodecContext *avctx)
	143	ff_thread_release_buffer(avctx, &s->current_frame);
	144	}
	145
	146	+static int vp3_init_thread_copy(AVCodecContext *avctx)
	147	+{
	148	+ Vp3DecodeContext *s = avctx->priv_data;
	149	+
	150	+ s->superblock_coding = NULL;
	151	+ s->all_fragments = NULL;
	152	+ s->coded_fragment_list[0] = NULL;
	153	+ s->dct_tokens_base = NULL;
	154	+ s->superblock_fragments = NULL;
	155	+ s->macroblock_coding = NULL;
	156	+ s->motion_val[0] = NULL;
	157	+ s->motion_val[1] = NULL;
	158	+ s->edge_emu_buffer = NULL;
	159	+
	160	+ return 0;
	161	+}
	162	+
	163	AVCodec ff_theora_decoder = {
	164	.name = "theora",
	165	.type = AVMEDIA_TYPE_VIDEO,
	166	@@ -2352,6 +2381,7 @@ AVCodec ff_theora_decoder = {
	167	.capabilities = CODEC_CAP_DR1 \| CODEC_CAP_DRAW_HORIZ_BAND \| CODEC_CAP_FRAME_THREADS,
	168	.flush = vp3_decode_flush,
	169	.long_name = NULL_IF_CONFIG_SMALL("Theora"),
	170	+ .init_thread_copy = ONLY_IF_THREADS_ENABLED(vp3_init_thread_copy),
	171	.update_thread_context = ONLY_IF_THREADS_ENABLED(vp3_update_thread_context)
	172	};
	173	#endif
	174	@@ -2367,5 +2397,6 @@ AVCodec ff_vp3_decoder = {
	175	.capabilities = CODEC_CAP_DR1 \| CODEC_CAP_DRAW_HORIZ_BAND \| CODEC_CAP_FRAME_THREADS,
	176	.flush = vp3_decode_flush,
	177	.long_name = NULL_IF_CONFIG_SMALL("On2 VP3"),
	178	+ .init_thread_copy = ONLY_IF_THREADS_ENABLED(vp3_init_thread_copy),
	179	.update_thread_context = ONLY_IF_THREADS_ENABLED(vp3_update_thread_context)
	180	};
	181	--
	182	1.7.5.4
	183