ref: a78d18a40052c8402e017e975fa5e9dc393da382
parent: ccb105af9e814d3e467edd28db753e52965a5d7a
author: xiaotiansf <xiaotianshimail@gmail.com>
date: Tue Apr 23 17:24:44 EDT 2019
Fix oss-fuzz reported bug 14423 which is caused by the fix of 14267 in DecreasePicBuff.
--- a/codec/decoder/core/src/decoder.cpp
+++ b/codec/decoder/core/src/decoder.cpp
@@ -212,21 +212,20 @@
//update references due to allocation changes
for (int32_t i = 0; i < kiNewSize; i++) { for (int32_t listIdx = LIST_0; listIdx < LIST_A; ++listIdx) {- for (int32_t j = 0; j < MAX_DPB_COUNT; j++) {- if (pPicNewBuf->ppPic[i]->pRefPic[listIdx][j] != NULL) {- unsigned long long uiTimeStamp = pPicNewBuf->ppPic[i]->pRefPic[listIdx][j]->uiTimeStamp;
- bool foundThePic = false;
- for (int32_t k = 0; k < kiNewSize; k++) {- if (pPicNewBuf->ppPic[k]->uiTimeStamp == uiTimeStamp) {- pPicNewBuf->ppPic[i]->pRefPic[listIdx][j] = pPicNewBuf->ppPic[k];
- foundThePic = true;
- break;
- }
+ int32_t j = -1;
+ while (++j < MAX_DPB_COUNT && pPicNewBuf->ppPic[i]->pRefPic[listIdx][j] != NULL) {+ unsigned long long uiTimeStamp = pPicNewBuf->ppPic[i]->pRefPic[listIdx][j]->uiTimeStamp;
+ bool foundThePic = false;
+ for (int32_t k = 0; k < kiNewSize; k++) {+ if (pPicNewBuf->ppPic[k]->uiTimeStamp == uiTimeStamp) {+ pPicNewBuf->ppPic[i]->pRefPic[listIdx][j] = pPicNewBuf->ppPic[k];
+ foundThePic = true;
+ break;
}
- if (!foundThePic) {- pPicNewBuf->ppPic[i]->pRefPic[listIdx][j] = NULL;
- }
}
+ if (!foundThePic) {+ pPicNewBuf->ppPic[i]->pRefPic[listIdx][j] = NULL;
+ }
}
}
}
@@ -242,7 +241,7 @@
// initialize context in queue
pPicNewBuf->iCapacity = kiNewSize;
- *ppPicBuf = pPicNewBuf;
+ * ppPicBuf = pPicNewBuf;
for (int32_t i = 0; i < pPicNewBuf->iCapacity; i++) {pPicNewBuf->ppPic[i]->bUsedAsRef = false;