Commit cccebfce authored by Janne Grunau's avatar Janne Grunau
Browse files

dav1d_decode_frame: always return negative values on error

Fixes an input validation error due to not cleared reference frame refs
in Dav1dFrameContext with
dav1d-fuzzing-data:artifacts/crash-b9015ad03b63131c25016592c3535da1268a08ad.
parent c3544c3f
...@@ -2541,8 +2541,6 @@ int dav1d_decode_frame(Dav1dFrameContext *const f) { ...@@ -2541,8 +2541,6 @@ int dav1d_decode_frame(Dav1dFrameContext *const f) {
} }
} }
dav1d_cdf_thread_unref(&f->in_cdf);
// 2-pass decoding: // 2-pass decoding:
// - enabled for frame-threading, so that one frame can do symbol parsing // - enabled for frame-threading, so that one frame can do symbol parsing
// as another (or multiple) are doing reconstruction. One advantage here // as another (or multiple) are doing reconstruction. One advantage here
...@@ -2578,9 +2576,7 @@ int dav1d_decode_frame(Dav1dFrameContext *const f) { ...@@ -2578,9 +2576,7 @@ int dav1d_decode_frame(Dav1dFrameContext *const f) {
for (int tile_col = 0; tile_col < f->frame_hdr.tiling.cols; tile_col++) { for (int tile_col = 0; tile_col < f->frame_hdr.tiling.cols; tile_col++) {
t->ts = &f->ts[tile_row * f->frame_hdr.tiling.cols + tile_col]; t->ts = &f->ts[tile_row * f->frame_hdr.tiling.cols + tile_col];
int res; if (dav1d_decode_tile_sbrow(t)) goto error;
if ((res = dav1d_decode_tile_sbrow(t)))
return res;
} }
// loopfilter + cdef + restoration // loopfilter + cdef + restoration
...@@ -2651,7 +2647,6 @@ int dav1d_decode_frame(Dav1dFrameContext *const f) { ...@@ -2651,7 +2647,6 @@ int dav1d_decode_frame(Dav1dFrameContext *const f) {
dav1d_update_tile_cdf(&f->frame_hdr, f->out_cdf.cdf, dav1d_update_tile_cdf(&f->frame_hdr, f->out_cdf.cdf,
&f->ts[f->frame_hdr.tiling.update].cdf); &f->ts[f->frame_hdr.tiling.update].cdf);
dav1d_cdf_thread_signal(&f->out_cdf); dav1d_cdf_thread_signal(&f->out_cdf);
dav1d_cdf_thread_unref(&f->out_cdf);
} }
if (f->frame_thread.pass == 1) { if (f->frame_thread.pass == 1) {
assert(c->n_fc > 1); assert(c->n_fc > 1);
...@@ -2681,13 +2676,9 @@ error: ...@@ -2681,13 +2676,9 @@ error:
} }
dav1d_thread_picture_unref(&f->cur); dav1d_thread_picture_unref(&f->cur);
// need to be careful about these, currently the only two 'goto error' dav1d_cdf_thread_unref(&f->in_cdf);
// are before the {in,out}_cdf get unreffed if (f->frame_hdr.refresh_context)
if (retval != 0) {
if (f->frame_hdr.refresh_context)
dav1d_cdf_thread_unref(&f->out_cdf); dav1d_cdf_thread_unref(&f->out_cdf);
dav1d_cdf_thread_unref(&f->in_cdf);
}
if (f->cur_segmap_ref) if (f->cur_segmap_ref)
dav1d_ref_dec(f->cur_segmap_ref); dav1d_ref_dec(f->cur_segmap_ref);
if (f->prev_segmap_ref) if (f->prev_segmap_ref)
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment