shithub: dav1d

Download patch

ref: 9f17489c4de0035f4262ea39a2193c8ca82c1035
parent: 46a3fd20e032a740061e222414c4145310893593
author: Janne Grunau <[email protected]>
date: Fri Oct 26 16:48:48 EDT 2018

unref reference pictures after decoding errors

Fix #115. Fix 'assert(seg_id < 8)' in
clusterfuzz-testcase-minimized-dav1d_fuzzer-5740590025670656 due to
decoding error in the primary reference picture. Credits to oss-fuzz.

--- a/src/decode.c
+++ b/src/decode.c
@@ -3041,6 +3041,22 @@
     if (c->n_fc == 1) {
         if ((res = dav1d_decode_frame(f)) < 0) {
             dav1d_picture_unref(&c->out);
+            for (int i = 0; i < 8; i++) {
+                if (f->frame_hdr.refresh_frame_flags & (1 << i)) {
+                    if (c->refs[i].p.p.data[0])
+                        dav1d_thread_picture_unref(&c->refs[i].p);
+                    if (c->cdf[i].cdf)
+                        dav1d_cdf_thread_unref(&c->cdf[i]);
+                    if (c->refs[i].segmap) {
+                        dav1d_ref_dec(c->refs[i].segmap);
+                        c->refs[i].segmap = NULL;
+                    }
+                    if (c->refs[i].refmvs) {
+                        dav1d_ref_dec(c->refs[i].refmvs);
+                        c->refs[i].refmvs = NULL;
+                    }
+                }
+            }
             return res;
         }
     } else {