Skip to content

Commit

Permalink
libavc: prevent picture buffer deletion while in use
Browse files Browse the repository at this point in the history 
Bug: 42520633
Test: ./avc_dec_fuzzer
  • Loading branch information
@anshjain04
anshjain04 committed Feb 26, 2025
1 parent 3916f3e commit e891dba
Showing 1 changed file with 17 additions and 7 deletions.
24 changes: 17 additions & 7 deletions decoder/ih264d_dpb_mgr.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1314,13 +1314,23 @@ WORD32 ih264d_do_mmco_buffer(dpb_commands_t *ps_dpb_cmds,
{
ps_nxtDPB = ps_next_dpb;
ps_nxtDPB->u1_lt_idx = MAX_REF_BUFS + 1;
ps_nxtDPB->u1_used_as_ref = UNUSED_FOR_REF;
ps_nxtDPB->s_top_field.u1_reference_info =
UNUSED_FOR_REF;
ps_nxtDPB->s_bot_field.u1_reference_info =
UNUSED_FOR_REF;

ps_nxtDPB->ps_pic_buf = NULL;

if(ps_nxtDPB->s_top_field.u1_reference_info == IS_LONG_TERM)
ps_nxtDPB->s_top_field.u1_reference_info =
UNUSED_FOR_REF;
if(ps_nxtDPB->s_bot_field.u1_reference_info == IS_LONG_TERM)
ps_nxtDPB->s_bot_field.u1_reference_info =
UNUSED_FOR_REF;

if(ps_nxtDPB->s_bot_field.u1_reference_info == UNUSED_FOR_REF && ps_nxtDPB->s_top_field.u1_reference_info == UNUSED_FOR_REF)
{
ps_nxtDPB->ps_pic_buf = NULL;
ps_nxtDPB->u1_used_as_ref = UNUSED_FOR_REF;
}
else
{
ps_nxtDPB->u1_used_as_ref = ps_nxtDPB->s_bot_field.u1_reference_info | ps_nxtDPB->s_top_field.u1_reference_info;
}
//Release buffer
ih264d_free_ref_pic_mv_bufs(ps_dpb_mgr->pv_codec_handle,
ps_nxtDPB->u1_buf_id);
Expand Down

0 comments on commit e891dba

Please sign in to comment.