shithub: dav1d

Download patch

ref: 4903d87b73b5bc7bd7fe949034666dc2bc4512af
parent: 8cf300206d60d904afb1f7d1e60c86152da3337c
author: Janne Grunau <[email protected]>
date: Mon Dec 3 15:12:46 EST 2018

frame-mt: output only fully decoded frames

Fixes use of uninitialized vaue in apply_to_row_y() with
clusterfuzz-testcase-minimized-dav1d_fuzzer_mt-5753369222709248. Credits
to oss-fuzz.

--- a/src/decode.c
+++ b/src/decode.c
@@ -2987,7 +2987,9 @@
                               &f->frame_thread.td.lock);
         out_delayed = &c->frame_thread.out_delayed[next];
         if (out_delayed->p.data[0]) {
-            if (out_delayed->visible)
+            const unsigned progress = atomic_load_explicit(&out_delayed->progress[1],
+                                                           memory_order_relaxed);
+            if (out_delayed->visible && progress != FRAME_ERROR)
                 dav1d_picture_ref(&c->out, &out_delayed->p);
             dav1d_thread_picture_unref(out_delayed);
         }
@@ -3308,7 +3310,10 @@
             dav1d_thread_picture_unref(&f->refp[i]);
         dav1d_ref_dec(&f->ref_mvs_ref[i]);
     }
-    dav1d_picture_unref(&c->out);
+    if (c->n_fc == 1)
+        dav1d_picture_unref(&c->out);
+    else
+        dav1d_thread_picture_unref(out_delayed);
     dav1d_picture_unref(&f->cur);
     dav1d_thread_picture_unref(&f->sr_cur);
     dav1d_ref_dec(&f->mvs_ref);