ref: ccb105af9e814d3e467edd28db753e52965a5d7a
parent: 6aaa51dc70c11bf39bfe33840f9b122c115460e2
author: xiaotiansf <xiaotianshimail@gmail.com>
date: Sun Apr 21 10:13:52 EDT 2019
Better way to fix oss-fuzz reported bug 14267 by re-assigning reference's references after memory reallocations in DecreasePicBuff instead of just reset.
--- a/codec/decoder/core/src/decoder.cpp
+++ b/codec/decoder/core/src/decoder.cpp
@@ -209,13 +209,24 @@
iDelIdx = kiNewSize;
}
- //remove references
+ //update references due to allocation changes
for (int32_t i = 0; i < kiNewSize; i++) { for (int32_t listIdx = LIST_0; listIdx < LIST_A; ++listIdx) {- uint32_t j = 0;
- while (j < MAX_DPB_COUNT && pPicNewBuf->ppPic[i]->pRefPic[listIdx][j]) {- pPicNewBuf->ppPic[i]->pRefPic[listIdx][j] = 0;
- ++j;
+ for (int32_t j = 0; j < MAX_DPB_COUNT; j++) {+ if (pPicNewBuf->ppPic[i]->pRefPic[listIdx][j] != NULL) {+ unsigned long long uiTimeStamp = pPicNewBuf->ppPic[i]->pRefPic[listIdx][j]->uiTimeStamp;
+ bool foundThePic = false;
+ for (int32_t k = 0; k < kiNewSize; k++) {+ if (pPicNewBuf->ppPic[k]->uiTimeStamp == uiTimeStamp) {+ pPicNewBuf->ppPic[i]->pRefPic[listIdx][j] = pPicNewBuf->ppPic[k];
+ foundThePic = true;
+ break;
+ }
+ }
+ if (!foundThePic) {+ pPicNewBuf->ppPic[i]->pRefPic[listIdx][j] = NULL;
+ }
+ }
}
}
}