shithub: openh264

Download patch

ref: fbb525f8430aef621b8eccbff085ae36134f5bf9
parent: 72780ebd1f5ea4dd22952f8bd35c23c14661c666
author: xiaotiansf <xiaotianshimail@gmail.com>
date: Thu Mar 28 17:55:52 EDT 2019 

Fix oss-fuzz reported bug 13941 Heap-use-after-free in WelsDec::MapColToList0.


--- a/codec/decoder/core/src/decode_slice.cpp
+++ b/codec/decoder/core/src/decode_slice.cpp
@@ -2403,11 +2403,11 @@
     pCtx->bMbRefConcealed = pCtx->bRPLRError || pCtx->bMbRefConcealed || ! (ppRefPicL0[0] && ppRefPicL0[0]->bIsComplete)
                             || ! (ppRefPicL1[0] && ppRefPicL1[0]->bIsComplete);
 
-    if (pCtx->bMbRefConcealed) {
+    /*if (pCtx->bMbRefConcealed) {
       SLogContext* pLogCtx = & (pCtx->sLogCtx);
       WelsLog (pLogCtx, WELS_LOG_ERROR, "Ref Picture for B-Slice is lost, B-Slice decoding cannot be continued!");
       return GENERATE_ERROR_NO (ERR_LEVEL_SLICE_DATA, ERR_INFO_REFERENCE_PIC_LOST);
-    }
+    }*/
     //predict iMv
     SubMbType subMbType;
     if (pSliceHeader->iDirectSpatialMvPredFlag) {
@@ -2467,7 +2467,7 @@
   if (iUsedBits > (pBs->iBits -
                    1)) { //When BS incomplete, as long as find it, SHOULD stop decoding to avoid mosaic or crash.
     WelsLog (& (pCtx->sLogCtx), WELS_LOG_WARNING,
-             "WelsDecodeMbCavlcISlice()::::pBs incomplete, iUsedBits:%" PRId64 " > pBs->iBits:%d, MUST stop decoding.",
+             "WelsDecodeMbCavlcBSlice()::::pBs incomplete, iUsedBits:%" PRId64 " > pBs->iBits:%d, MUST stop decoding.",
              (int64_t)iUsedBits, pBs->iBits);
     return GENERATE_ERROR_NO (ERR_LEVEL_MB_DATA, ERR_INFO_BS_INCOMPLETE);
   }
--- a/codec/decoder/plus/src/welsDecoderExt.cpp
+++ b/codec/decoder/plus/src/welsDecoderExt.cpp
@@ -592,6 +592,12 @@
       }
       return dsErrorFree;
     }
+    if ((m_pDecContext->iErrorCode == (dsBitstreamError | dsDataErrorConcealed)) && m_pDecContext->eSliceType == B_SLICE) {
+      if (ResetDecoder()) {
+        return DECODING_STATE (dsBitstreamError | dsDataErrorConcealed);
+      }
+      return dsErrorFree;
+    }
     //for AVC bitstream (excluding AVC with temporal scalability, including TP), as long as error occur, SHOULD notify upper layer key frame loss.
     if ((IS_PARAM_SETS_NALS (eNalType) || NAL_UNIT_CODED_SLICE_IDR == eNalType) ||
         (VIDEO_BITSTREAM_AVC == m_pDecContext->eVideoType)) {