shithub: openh264

Download patch

ref: 569aa5c9897f1494e32133d615cb69ebb05fdc0c
parent: 2e5f1b213478bfe830ad846088d6ad14c1400dd5
parent: cfb22048d8d8aa6033769f50e726f27d40d0bd5b
author: huili2 <[email protected]>
date: Mon Mar 4 04:27:31 EST 2019

Merge pull request #3105 from xiaotiansf/NewBugzilla2

Fix ossz-buzz reported bug 13457. (Don't try to dereference never exi…

--- a/codec/decoder/core/src/decoder.cpp
+++ b/codec/decoder/core/src/decoder.cpp
@@ -167,17 +167,20 @@
 
 static void ResetRefPicReferences (const PWelsDecoderContext& pCtx, const PPicture& inPPic) {
   //seach and reset the references of deleted references.
-  for (int32_t list = LIST_0; list < LIST_A; ++list) {
+  int32_t list_count = pCtx->eSliceType == B_SLICE ? 2 : 1;
+  for (int32_t list = LIST_0; list < list_count; ++list) {
     int32_t refIdx = 0;
     PPicture pPic = pCtx->sRefPic.pRefList[list][refIdx];
     while (refIdx < MAX_DPB_COUNT && pPic != NULL) {
       ++refIdx;
-      int32_t ref = 0;
-      while (ref < MAX_DPB_COUNT && *pPic->pRefPic[ref] != NULL) {
-        if (*pPic->pRefPic[ref] == inPPic) {
-          *pPic->pRefPic[ref] = NULL;
+      for (int32_t i = LIST_0; i < LIST_A; ++i) {
+        int32_t ref = 0;
+        while (ref < MAX_DPB_COUNT && pPic->pRefPic[i][ref] != NULL) {
+          if (pPic->pRefPic[i][ref] == inPPic) {
+            pPic->pRefPic[i][ref] = NULL;
+          }
+          ++ref;
         }
-        ++ref;
       }
     }
   }
--- a/codec/decoder/plus/src/welsDecoderExt.cpp
+++ b/codec/decoder/plus/src/welsDecoderExt.cpp
@@ -581,12 +581,6 @@
 
     eNalType = m_pDecContext->sCurNalHead.eNalUnitType;
 
-    if ((m_pDecContext->iErrorCode & dsRefLost) && m_pDecContext->eSliceType == B_SLICE) {
-      if (ResetDecoder()) {
-        return dsRefLost;
-      }
-      return dsErrorFree;
-    }
     if (m_pDecContext->iErrorCode & dsOutOfMemory) {
       if (ResetDecoder()) {
         return dsOutOfMemory;