diff options
| author | Vignesh Venkatasubramanian <vigneshv@google.com> | 2016-08-26 10:12:29 -0700 |
|---|---|---|
| committer | gitbuildkicker <android-build@google.com> | 2016-09-27 18:10:54 -0700 |
| commit | fb3a9b9c31934ce3f84ee158593711f70bf89c8a (patch) | |
| tree | 8e925445e84720214de3cf43ced220e7bd304a1a | |
| parent | b2c588da1f3c0fbe23b92106981e0173da74f979 (diff) | |
| download | libvpx-marshmallow-mr1-release.tar.gz | |
DO NOT MERGE | libvpx: Cherry-pick 0f42d1f from upstreamandroid-6.0.1_r73marshmallow-mr1-release
Description from upstream:
vp8: fix decoder crash with invalid leading keyframes
decoding the same invalid keyframe twice would result in a crash as the
second time through the decoder would be assumed to have been
initialized as there was no resolution change. in this case the
resolution was itself invalid (0x6), but vp8_peek_si() was only failing
in the case of 0x0.
invalid-vp80-00-comprehensive-018.ivf.2kf_0x6.ivf tests this case by
duplicating the first keyframe and additionally adds a valid one to
ensure decoding can resume without error.
Bug: 30593765
Change-Id: I0de85f5a5eb5c0a5605230faf20c042b69aea507
(cherry picked from commit fc0466b695dce03e10390101844caa374848d903)
(cherry picked from commit 1114575245cb9d2f108749f916c76549524f5136)
| -rw-r--r-- | libvpx/vp8/vp8_dx_iface.c | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/libvpx/vp8/vp8_dx_iface.c b/libvpx/vp8/vp8_dx_iface.c index 72e4770c0..847cafb40 100644 --- a/libvpx/vp8/vp8_dx_iface.c +++ b/libvpx/vp8/vp8_dx_iface.c @@ -198,8 +198,8 @@ static vpx_codec_err_t vp8_peek_si_internal(const uint8_t *data, si->h = (clear[8] | (clear[9] << 8)) & 0x3fff; /*printf("w=%d, h=%d\n", si->w, si->h);*/ - if (!(si->h | si->w)) - res = VPX_CODEC_UNSUP_BITSTREAM; + if (!(si->h && si->w)) + res = VPX_CODEC_CORRUPT_FRAME; } else { @@ -421,6 +421,10 @@ static vpx_codec_err_t vp8_decode(vpx_codec_alg_priv_t *ctx, if (setjmp(pbi->common.error.jmp)) { pbi->common.error.setjmp = 0; + /* on failure clear the cached resolution to ensure a full + * reallocation is attempted on resync. */ + ctx->si.w = 0; + ctx->si.h = 0; vp8_clear_system_state(); /* same return value as used in vp8dx_receive_compressed_data */ return -1; |