ref: b735b80b743d5bb85059e8fb87efd0375bc5bc65
parent: 18ab22b67c271bbc845ae485094d72cb7527d1d2
author: Janne Grunau <janne-vlc@jannau.net>
date: Tue Dec 4 14:43:42 EST 2018
frame-mt: output delayed frames as soon as possible c->out can hold a valid picture on bitstream errors after 4903d87b73b5 when frame multi-threading is used. Output this picture instead of returning the return value of dav1d_parse_obus(). Fixes `assert(dst->data[0] == ((void*)0));` in dav1d_picture_ref with clusterfuzz-testcase-minimized-dav1d_fuzzer_mt-5743306491822080. Also fixes a memory leak of frames with clusterfuzz-testcase-minimized-dav1d_fuzzer_mt-5655593017147392. Credits to oss-fuzz.
--- a/src/lib.c
+++ b/src/lib.c
@@ -315,17 +315,19 @@
}
while (in->sz > 0) {- if ((res = dav1d_parse_obus(c, in, 0)) < 0) {+ res = dav1d_parse_obus(c, in, 0);
+ if (res < 0) {dav1d_data_unref(in);
- return res;
+ } else {+ assert((size_t)res <= in->sz);
+ in->sz -= res;
+ in->data += res;
+ if (!in->sz) dav1d_data_unref(in);
}
-
- assert((size_t)res <= in->sz);
- in->sz -= res;
- in->data += res;
- if (!in->sz) dav1d_data_unref(in);
if (c->out.data[0])
break;
+ if (res < 0)
+ return res;
}
if (c->out.data[0])