shithub: libvpx

Download patch

ref: 3fb6f75feb973a6c59a627c9375b431618fd5ee8
parent: 5fbc7a286b4d72883392fdbb10ec52bace662f66
author: Venkatarama NG. Avadhani <[email protected]>
date: Wed Oct 24 13:17:58 EDT 2018

Fix DoS in Error Streams

This fixes an issue where, in very rare error cases, one row of LPF
could be waiting infinitely for its previous row's LPF to complete.

With LPF optimization, the second row's LPF could be triggered before
the first row's LPF. In this case, the second row's LPF will wait for
LPF of n-sync number of SBs of the first row to finish. In error
streams, depending on when the error was detected, the LPF job of the
first row may then never be triggered. This puts the thread doing the
second row's LPF in an infinite wait.

The issue is reproduceable once in approximately 500 runs of the clip in
bug 1562.

BUG=webm:1562

Change-Id: I265d7df5ceeff0410334f5b9a4181f895bb54cab

--- a/vp9/common/vp9_thread_common.c
+++ b/vp9/common/vp9_thread_common.c
@@ -8,6 +8,7 @@
  *  be found in the AUTHORS file in the root of the source tree.
  */
 
+#include <limits.h>
 #include "./vpx_config.h"
 #include "vpx_dsp/vpx_dsp_common.h"
 #include "vpx_mem/vpx_mem.h"
@@ -402,6 +403,11 @@
   pthread_mutex_unlock(&lf_sync->recon_done_mutex[cur_row]);
   pthread_mutex_lock(&lf_sync->lf_mutex);
   if (lf_sync->corrupted) {
+    int row = return_val >> MI_BLOCK_SIZE_LOG2;
+    pthread_mutex_lock(&lf_sync->mutex[row]);
+    lf_sync->cur_sb_col[row] = INT_MAX;
+    pthread_cond_signal(&lf_sync->cond[row]);
+    pthread_mutex_unlock(&lf_sync->mutex[row]);
     return_val = -1;
   }
   pthread_mutex_unlock(&lf_sync->lf_mutex);