Better way to fix oss-fuzz reported bug 14267 by re-assigning referen…

…ce's references after memory reallocations in DecreasePicBuff instead of just reset.
hibive · Apr 21, 2019 · 84b5847 · 84b5847
1 parent 1f1db72
commit 84b5847
Showing 1 changed file with 16 additions and 5 deletions.
diff --git a/codec/decoder/core/src/decoder.cpp b/codec/decoder/core/src/decoder.cpp
@@ -209,13 +209,24 @@ static int32_t DecreasePicBuff (PWelsDecoderContext pCtx, PPicBuff* ppPicBuf, co
  iDelIdx = kiNewSize;
  }
 
- //remove references
+ //update references due to allocation changes
  for (int32_t i = 0; i < kiNewSize; i++) {
  for (int32_t listIdx = LIST_0; listIdx < LIST_A; ++listIdx) {
- uint32_t j = 0;
- while (j < MAX_DPB_COUNT && pPicNewBuf->ppPic[i]->pRefPic[listIdx][j]) {
- pPicNewBuf->ppPic[i]->pRefPic[listIdx][j] = 0;
- ++j;
+ for (int32_t j = 0; j < MAX_DPB_COUNT; j++) {
+ if (pPicNewBuf->ppPic[i]->pRefPic[listIdx][j] != NULL) {
+ unsigned long long uiTimeStamp = pPicNewBuf->ppPic[i]->pRefPic[listIdx][j]->uiTimeStamp;
+ bool foundThePic = false;
+ for (int32_t k = 0; k < kiNewSize; k++) {
+ if (pPicNewBuf->ppPic[k]->uiTimeStamp == uiTimeStamp) {
+ pPicNewBuf->ppPic[i]->pRefPic[listIdx][j] = pPicNewBuf->ppPic[k];
+ foundThePic = true;
+ break;
+ }
+ }
+ if (!foundThePic) {
+ pPicNewBuf->ppPic[i]->pRefPic[listIdx][j] = NULL;
+ }
+ }
  }
  }
  }