ref: 4903d87b73b5bc7bd7fe949034666dc2bc4512af
parent: 8cf300206d60d904afb1f7d1e60c86152da3337c
author: Janne Grunau <janne-vlc@jannau.net>
date: Mon Dec 3 15:12:46 EST 2018
frame-mt: output only fully decoded frames Fixes use of uninitialized vaue in apply_to_row_y() with clusterfuzz-testcase-minimized-dav1d_fuzzer_mt-5753369222709248. Credits to oss-fuzz.
--- a/src/decode.c
+++ b/src/decode.c
@@ -2987,7 +2987,9 @@
&f->frame_thread.td.lock);
out_delayed = &c->frame_thread.out_delayed[next];
if (out_delayed->p.data[0]) {- if (out_delayed->visible)
+ const unsigned progress = atomic_load_explicit(&out_delayed->progress[1],
+ memory_order_relaxed);
+ if (out_delayed->visible && progress != FRAME_ERROR)
dav1d_picture_ref(&c->out, &out_delayed->p);
dav1d_thread_picture_unref(out_delayed);
}
@@ -3308,7 +3310,10 @@
dav1d_thread_picture_unref(&f->refp[i]);
dav1d_ref_dec(&f->ref_mvs_ref[i]);
}
- dav1d_picture_unref(&c->out);
+ if (c->n_fc == 1)
+ dav1d_picture_unref(&c->out);
+ else
+ dav1d_thread_picture_unref(out_delayed);
dav1d_picture_unref(&f->cur);
dav1d_thread_picture_unref(&f->sr_cur);
dav1d_ref_dec(&f->mvs_ref);