shithub: openh264

Download patch

ref: 71d619c9f533792db219af254bee3d500aaeeaa5
parent: 5ae7dc93b04122f19cbc09a2dbc89ac3f2e2a196
author: xiaotiansf <xiaotianshimail@gmail.com>
date: Tue Feb 12 12:09:28 EST 2019 

Fix Issues 13030 and 13039 in oss-fuzz.


--- a/codec/decoder/core/src/decode_slice.cpp
+++ b/codec/decoder/core/src/decode_slice.cpp
@@ -56,6 +56,22 @@
 
 extern PPicture AllocPicture (PWelsDecoderContext pCtx, const int32_t kiPicWidth, const int32_t kiPicHeight);
 
+static bool CheckRefPics (const PWelsDecoderContext& pCtx) {
+  int32_t listCount = 1;
+  if (pCtx->eSliceType == B_SLICE) {
+    ++listCount;
+  }
+  for (int32_t list = LIST_0; list < listCount; ++list) {
+    int32_t refCount = pCtx->sRefPic.uiRefCount[list];
+    for (int32_t refIdx = 0; refIdx < refCount; ++refIdx) {
+      if (!pCtx->sRefPic.pRefList[list][refIdx]) {
+        return false;
+      }
+    }
+  }
+  return true;
+}
+
 int32_t WelsTargetSliceConstruction (PWelsDecoderContext pCtx) {
   PDqLayer pCurLayer = pCtx->pCurDqLayer;
   PSlice pCurSlice = &pCurLayer->sLayerInfo.sSliceInLayer;
@@ -318,7 +334,10 @@
     WelsMbIntraPredictionConstruction (pCtx, pCurLayer, 1);
   } else if (IS_INTER (pCurLayer->pMbType[pCurLayer->iMbXyIndex])) { //InterMB
     if (0 == pCurLayer->pCbp[pCurLayer->iMbXyIndex]) { //uiCbp==0 include SKIP
-      WelsMbInterPrediction (pCtx, pCurLayer);
+      if (!CheckRefPics (pCtx)) {
+        return ERR_INFO_MB_RECON_FAIL;
+      }
+      return WelsMbInterPrediction (pCtx, pCurLayer);
     } else {
       WelsMbInterConstruction (pCtx, pCurLayer);
     }
@@ -2783,7 +2802,7 @@
   return ERR_NONE;
 }
 
-void WelsBlockFuncInit (SBlockFunc*   pFunc,  int32_t iCpu) {
+void WelsBlockFuncInit (SBlockFunc*    pFunc,  int32_t iCpu) {
   pFunc->pWelsSetNonZeroCountFunc   = WelsNonZeroCount_c;
   pFunc->pWelsBlockZero16x16Func    = WelsBlockZero16x16_c;
   pFunc->pWelsBlockZero8x8Func      = WelsBlockZero8x8_c;
--- a/codec/decoder/core/src/decoder.cpp
+++ b/codec/decoder/core/src/decoder.cpp
@@ -826,7 +826,8 @@
   const int32_t kiPicWidth    = kiMbWidth << 4;
   const int32_t kiPicHeight   = kiMbHeight << 4;
   //fix Bugzilla Bug1479656 reallocate temp dec picture
-  if (pCtx->pTempDec != NULL) {
+  if (pCtx->pTempDec != NULL && (pCtx->pTempDec->iWidthInPixel != kiPicWidth
+                                 || pCtx->pTempDec->iHeightInPixel != kiPicHeight)) {
     FreePicture (pCtx->pTempDec, pCtx->pMemAlign);
     pCtx->pTempDec = AllocPicture (pCtx, pCtx->pSps->iMbWidth << 4, pCtx->pSps->iMbHeight << 4);
   }