From 0261fb4c4ff251a07a6d3c0ea10a3e655615ae22 Mon Sep 17 00:00:00 2001 From: James Zern Date: Tue, 3 Feb 2015 19:55:55 -0800 Subject: [PATCH] vp9: fix segfault w/corrupt data post frame-parallel merge cm->frame_bufs[].idx values were made consistent in: 61c5e94 Use -1 consistently as invalid buffer idx update the initialization in swap_frame_buffers() to match. additionally: - remove some shadowed variables in the former and marked them volatile Change-Id: Ie3f9636c405bd822112bb56bd22d28024ae98909 --- test/invalid_file_test.cc | 2 ++ test/test-data.mk | 4 ++++ test/test-data.sha1 | 6 +++++- vp9/decoder/vp9_decoder.c | 13 ++++++------- 4 files changed, 17 insertions(+), 8 deletions(-) diff --git a/test/invalid_file_test.cc b/test/invalid_file_test.cc index 039b726..2cbbc6b 100644 --- a/test/invalid_file_test.cc +++ b/test/invalid_file_test.cc @@ -121,6 +121,8 @@ const DecodeParam kVP9InvalidFileTests[] = { {1, "invalid-vp90-2-09-subpixel-00.ivf.s20492_r01-05_b6-.v2.ivf"}, {1, "invalid-vp91-2-mixedrefcsp-444to420.ivf"}, {1, "invalid-vp90-2-12-droppable_1.ivf.s73804_r01-05_b6-.ivf"}, + {1, "invalid-vp90-2-03-size-224x196.webm.ivf.s44156_r01-05_b6-.ivf"}, + {1, "invalid-vp90-2-03-size-202x210.webm.ivf.s113306_r01-05_b6-.ivf"}, }; VP9_INSTANTIATE_TEST_CASE(InvalidFileTest, diff --git a/test/test-data.mk b/test/test-data.mk index da36d1a..5889ed9 100644 --- a/test/test-data.mk +++ b/test/test-data.mk @@ -698,6 +698,10 @@ LIBVPX_TEST_DATA-$(CONFIG_VP9_DECODER) += invalid-vp90-2-00-quantizer-11.webm.iv LIBVPX_TEST_DATA-$(CONFIG_VP9_DECODER) += invalid-vp90-2-00-quantizer-11.webm.ivf.s52984_r01-05_b6-.ivf.res LIBVPX_TEST_DATA-$(CONFIG_VP9_DECODER) += invalid-vp90-2-00-quantizer-11.webm.ivf.s52984_r01-05_b6-z.ivf LIBVPX_TEST_DATA-$(CONFIG_VP9_DECODER) += invalid-vp90-2-00-quantizer-11.webm.ivf.s52984_r01-05_b6-z.ivf.res +LIBVPX_TEST_DATA-$(CONFIG_VP9_DECODER) += invalid-vp90-2-03-size-202x210.webm.ivf.s113306_r01-05_b6-.ivf +LIBVPX_TEST_DATA-$(CONFIG_VP9_DECODER) += invalid-vp90-2-03-size-202x210.webm.ivf.s113306_r01-05_b6-.ivf.res +LIBVPX_TEST_DATA-$(CONFIG_VP9_DECODER) += invalid-vp90-2-03-size-224x196.webm.ivf.s44156_r01-05_b6-.ivf +LIBVPX_TEST_DATA-$(CONFIG_VP9_DECODER) += invalid-vp90-2-03-size-224x196.webm.ivf.s44156_r01-05_b6-.ivf.res LIBVPX_TEST_DATA-$(CONFIG_VP9_DECODER) += invalid-vp90-2-05-resize.ivf.s59293_r01-05_b6-.ivf LIBVPX_TEST_DATA-$(CONFIG_VP9_DECODER) += invalid-vp90-2-05-resize.ivf.s59293_r01-05_b6-.ivf.res LIBVPX_TEST_DATA-$(CONFIG_VP9_DECODER) += invalid-vp90-2-08-tile_1x2_frame_parallel.webm.ivf.s47039_r01-05_b6-.ivf diff --git a/test/test-data.sha1 b/test/test-data.sha1 index 83a5501..cc5fe23 100644 --- a/test/test-data.sha1 +++ b/test/test-data.sha1 @@ -736,4 +736,8 @@ f97088c7359fc8d3d5aa5eafe57bc7308b3ee124 vp90-2-20-big_superframe-01.webm bfc82bf848e9c05020d61e3ffc1e62f25df81d19 vp90-2-07-frame_parallel-1.webm.md5 efd5a51d175cfdacd169ed23477729dc558030dc invalid-vp90-2-07-frame_parallel-1.webm 9f912712ec418be69adb910e2ca886a63c4cec08 invalid-vp90-2-07-frame_parallel-2.webm -445f5a53ca9555341852997ccdd480a51540bd14 invalid-vp90-2-07-frame_parallel-3.webm \ No newline at end of file +445f5a53ca9555341852997ccdd480a51540bd14 invalid-vp90-2-07-frame_parallel-3.webm +d18c90709a0d03c82beadf10898b27d88fff719c invalid-vp90-2-03-size-224x196.webm.ivf.s44156_r01-05_b6-.ivf +d06285d109ecbaef63b0cbcc44d70a129186f51c invalid-vp90-2-03-size-224x196.webm.ivf.s44156_r01-05_b6-.ivf.res +e60d859b0ef2b331b21740cf6cb83fabe469b079 invalid-vp90-2-03-size-202x210.webm.ivf.s113306_r01-05_b6-.ivf +0ae808dca4d3c1152a9576e14830b6faa39f1b4a invalid-vp90-2-03-size-202x210.webm.ivf.s113306_r01-05_b6-.ivf.res diff --git a/vp9/decoder/vp9_decoder.c b/vp9/decoder/vp9_decoder.c index aee4620..29274e6 100644 --- a/vp9/decoder/vp9_decoder.c +++ b/vp9/decoder/vp9_decoder.c @@ -257,14 +257,14 @@ static void swap_frame_buffers(VP9Decoder *pbi) { // Invalidate these references until the next frame starts. for (ref_index = 0; ref_index < 3; ref_index++) - cm->frame_refs[ref_index].idx = INT_MAX; + cm->frame_refs[ref_index].idx = -1; } int vp9_receive_compressed_data(VP9Decoder *pbi, size_t size, const uint8_t **psource) { VP9_COMMON *volatile const cm = &pbi->common; - BufferPool *const pool = cm->buffer_pool; - RefCntBuffer *const frame_bufs = cm->buffer_pool->frame_bufs; + BufferPool *volatile const pool = cm->buffer_pool; + RefCntBuffer *volatile const frame_bufs = cm->buffer_pool->frame_bufs; const uint8_t *source = *psource; int retcode = 0; cm->error.error_code = VPX_CODEC_OK; @@ -278,8 +278,10 @@ int vp9_receive_compressed_data(VP9Decoder *pbi, // TODO(jkoleszar): Error concealment is undefined and non-normative // at this point, but if it becomes so, [0] may not always be the correct // thing to do here. - if (cm->frame_refs[0].idx > 0) + if (cm->frame_refs[0].idx > 0) { + assert(cm->frame_refs[0].buf != NULL); cm->frame_refs[0].buf->corrupted = 1; + } } pbi->ready_for_new_data = 0; @@ -312,7 +314,6 @@ int vp9_receive_compressed_data(VP9Decoder *pbi, if (setjmp(cm->error.jmp)) { const VP9WorkerInterface *const winterface = vp9_get_worker_interface(); - VP9_COMMON *const cm = &pbi->common; int i; cm->error.setjmp = 0; @@ -329,8 +330,6 @@ int vp9_receive_compressed_data(VP9Decoder *pbi, // Release all the reference buffers if worker thread is holding them. if (pbi->hold_ref_buf == 1) { int ref_index = 0, mask; - BufferPool *const pool = cm->buffer_pool; - RefCntBuffer *const frame_bufs = cm->buffer_pool->frame_bufs; for (mask = pbi->refresh_frame_flags; mask; mask >>= 1) { const int old_idx = cm->ref_frame_map[ref_index]; // Current thread releases the holding of reference frame. -- 2.7.4