ref: 9f17489c4de0035f4262ea39a2193c8ca82c1035
parent: 46a3fd20e032a740061e222414c4145310893593
author: Janne Grunau <janne-vlc@jannau.net>
date: Fri Oct 26 16:48:48 EDT 2018
unref reference pictures after decoding errors Fix #115. Fix 'assert(seg_id < 8)' in clusterfuzz-testcase-minimized-dav1d_fuzzer-5740590025670656 due to decoding error in the primary reference picture. Credits to oss-fuzz.
--- a/src/decode.c
+++ b/src/decode.c
@@ -3041,6 +3041,22 @@
if (c->n_fc == 1) { if ((res = dav1d_decode_frame(f)) < 0) {dav1d_picture_unref(&c->out);
+ for (int i = 0; i < 8; i++) {+ if (f->frame_hdr.refresh_frame_flags & (1 << i)) {+ if (c->refs[i].p.p.data[0])
+ dav1d_thread_picture_unref(&c->refs[i].p);
+ if (c->cdf[i].cdf)
+ dav1d_cdf_thread_unref(&c->cdf[i]);
+ if (c->refs[i].segmap) {+ dav1d_ref_dec(c->refs[i].segmap);
+ c->refs[i].segmap = NULL;
+ }
+ if (c->refs[i].refmvs) {+ dav1d_ref_dec(c->refs[i].refmvs);
+ c->refs[i].refmvs = NULL;
+ }
+ }
+ }
return res;
}
} else {