shithub: openh264

Download patch

ref: 8a96d06fa2fded2ac7f7c2b02942347fe8fc6d45
parent: 669089d63a48f45a1e0c0a79f150423cced0379c
parent: 5ebb64cc45e3da3e6a58263cbed294b44b4bf827
author: zhilwang <zhilwang@cisco.com>
date: Fri Aug 14 11:44:21 EDT 2015

Merge pull request #2074 from HaiboZhu/Bugfix_max_ref_pic_count_error

Bug fix about RefList size memory access violation

--- a/codec/decoder/core/inc/decoder_context.h
+++ b/codec/decoder/core/inc/decoder_context.h
@@ -143,9 +143,9 @@
 
 /**/
 typedef struct TagRefPic {
-  PPicture      pRefList[LIST_A][MAX_REF_PIC_COUNT];    // reference picture marking plus FIFO scheme
-  PPicture      pShortRefList[LIST_A][MAX_SHORT_REF_COUNT];
-  PPicture      pLongRefList[LIST_A][MAX_LONG_REF_COUNT];
+  PPicture      pRefList[LIST_A][MAX_DPB_COUNT];    // reference picture marking plus FIFO scheme
+  PPicture      pShortRefList[LIST_A][MAX_DPB_COUNT];
+  PPicture      pLongRefList[LIST_A][MAX_DPB_COUNT];
   uint8_t       uiRefCount[LIST_A];
   uint8_t       uiShortRefCount[LIST_A];
   uint8_t       uiLongRefCount[LIST_A]; // dependend on ref pic module
--- a/codec/decoder/core/inc/wels_const.h
+++ b/codec/decoder/core/inc/wels_const.h
@@ -46,6 +46,7 @@
 #define MIN_REF_PIC_COUNT               1               // minimal count number of reference pictures, 1 short + 2 key reference based?
 #define MAX_SHORT_REF_COUNT             16              // maximal count number of short reference pictures
 #define MAX_LONG_REF_COUNT              16              // maximal count number of long reference pictures
+#define MAX_DPB_COUNT			(MAX_REF_PIC_COUNT + 1) // 1 additional position for re-order and other process
 
 #define MAX_MMCO_COUNT                  66
 
--- a/codec/decoder/core/src/manage_dec_ref.cpp
+++ b/codec/decoder/core/src/manage_dec_ref.cpp
@@ -89,7 +89,7 @@
 
   pRefPic->uiRefCount[LIST_0] = 0;
 
-  for (i = 0; i < MAX_SHORT_REF_COUNT; i++) {
+  for (i = 0; i < MAX_DPB_COUNT; i++) {
     if (pRefPic->pShortRefList[LIST_0][i] != NULL) {
       SetUnRef (pRefPic->pShortRefList[LIST_0][i]);
       pRefPic->pShortRefList[LIST_0][i] = NULL;
@@ -97,7 +97,7 @@
   }
   pRefPic->uiShortRefCount[LIST_0] = 0;
 
-  for (i = 0; i < MAX_LONG_REF_COUNT; i++) {
+  for (i = 0; i < MAX_DPB_COUNT; i++) {
     if (pRefPic->pLongRefList[LIST_0][i] != NULL) {
       SetUnRef (pRefPic->pLongRefList[LIST_0][i]);
       pRefPic->pLongRefList[LIST_0][i] = NULL;
@@ -158,7 +158,7 @@
 
   PPicture* ppShoreRefList = pCtx->sRefPic.pShortRefList[LIST_0];
   PPicture* ppLongRefList  = pCtx->sRefPic.pLongRefList[LIST_0];
-  memset (pCtx->sRefPic.pRefList[LIST_0], 0, MAX_REF_PIC_COUNT * sizeof (PPicture));
+  memset (pCtx->sRefPic.pRefList[LIST_0], 0, MAX_DPB_COUNT * sizeof (PPicture));
   //short
   for (i = 0; i < pCtx->sRefPic.uiShortRefCount[LIST_0]; ++i) {
     pCtx->sRefPic.pRefList[LIST_0][iCount++ ] = ppShoreRefList[i];
@@ -179,7 +179,7 @@
   PSliceHeader pSliceHeader = &pCtx->pCurDqLayer->sLayerInfo.sSliceInLayer.sSliceHeaderExt.sSliceHeader;
   PPicture pPic = NULL;
   PPicture* ppRefList = pCtx->sRefPic.pRefList[LIST_0];
-  int32_t iMaxRefIdx = pCtx->pSps->iNumRefFrames + 1;
+  int32_t iMaxRefIdx = pCtx->pSps->iNumRefFrames;
   int32_t iRefCount = pCtx->sRefPic.uiRefCount[LIST_0];
   int32_t iPredFrameNum = pSliceHeader->iFrameNum;
   int32_t iMaxPicNum = 1 << pSliceHeader->pSps->uiLog2MaxFrameNum;
@@ -251,7 +251,7 @@
                  (i - iReorderingIndex)*sizeof (PPicture)); //confirmed_safe_unsafe_usage
       } else if (i < iReorderingIndex) {
         memmove (&ppRefList[1 + iReorderingIndex], &ppRefList[iReorderingIndex],
-                 (iMaxRefIdx - 1 - iReorderingIndex)*sizeof (PPicture));
+                 (iMaxRefIdx - iReorderingIndex)*sizeof (PPicture));
       }
       ppRefList[iReorderingIndex] = pPic;
       iReorderingIndex++;