shithub: openh264

Download patch

ref: ed7526a2de6a139a3899077fc9dd5965a49e8546
parent: b4612e7626c1fea20dabccaf1d60be006a9c123f
parent: a78d18a40052c8402e017e975fa5e9dc393da382
author: huili2 <[email protected]>
date: Wed Apr 24 11:58:29 EDT 2019

Merge pull request #3125 from xiaotiansf/LastFixes

Fix oss-fuzz reported bug 14423 which is caused by the fix of 14267 i…

--- a/codec/decoder/core/src/decoder.cpp
+++ b/codec/decoder/core/src/decoder.cpp
@@ -212,21 +212,20 @@
   //update references due to allocation changes
   for (int32_t i = 0; i < kiNewSize; i++) {
     for (int32_t listIdx = LIST_0; listIdx < LIST_A; ++listIdx) {
-      for (int32_t j = 0; j < MAX_DPB_COUNT; j++) {
-        if (pPicNewBuf->ppPic[i]->pRefPic[listIdx][j] != NULL) {
-          unsigned long long uiTimeStamp = pPicNewBuf->ppPic[i]->pRefPic[listIdx][j]->uiTimeStamp;
-          bool foundThePic = false;
-          for (int32_t k = 0; k < kiNewSize; k++) {
-            if (pPicNewBuf->ppPic[k]->uiTimeStamp == uiTimeStamp) {
-              pPicNewBuf->ppPic[i]->pRefPic[listIdx][j] = pPicNewBuf->ppPic[k];
-              foundThePic = true;
-              break;
-            }
+      int32_t j = -1;
+      while (++j < MAX_DPB_COUNT && pPicNewBuf->ppPic[i]->pRefPic[listIdx][j] != NULL) {
+        unsigned long long uiTimeStamp = pPicNewBuf->ppPic[i]->pRefPic[listIdx][j]->uiTimeStamp;
+        bool foundThePic = false;
+        for (int32_t k = 0; k < kiNewSize; k++) {
+          if (pPicNewBuf->ppPic[k]->uiTimeStamp == uiTimeStamp) {
+            pPicNewBuf->ppPic[i]->pRefPic[listIdx][j] = pPicNewBuf->ppPic[k];
+            foundThePic = true;
+            break;
           }
-          if (!foundThePic) {
-            pPicNewBuf->ppPic[i]->pRefPic[listIdx][j] = NULL;
-          }
         }
+        if (!foundThePic) {
+          pPicNewBuf->ppPic[i]->pRefPic[listIdx][j] = NULL;
+        }
       }
     }
   }
@@ -242,7 +241,7 @@
 
   // initialize context in queue
   pPicNewBuf->iCapacity = kiNewSize;
-  *ppPicBuf             = pPicNewBuf;
+  * ppPicBuf             = pPicNewBuf;
 
   for (int32_t i = 0; i < pPicNewBuf->iCapacity; i++) {
     pPicNewBuf->ppPic[i]->bUsedAsRef = false;