Call decoder_decode() even on invalid input data.
The first thing decoder_decode() does is to release the output frames
from the previous decoder_decode() call. We need that side effect even
when the input data pointer or data size is invalid, so that the
subsequent aom_codec_get_frame() call (which is called by
av1_dec_fuzzer.cc even after a failed aom_codec_decode() call) will not
return an old output frame again.
BUG=oss-fuzz:10151
Change-Id: I4e3f3b3a3d437abc0140074595d83ac285cf8149
(cherry picked from commit e81859e9fb0c842b015f298c3d7be0ae8b15f180)
diff --git a/aom/src/aom_decoder.c b/aom/src/aom_decoder.c
index e0cec10..8c9111f 100644
--- a/aom/src/aom_decoder.c
+++ b/aom/src/aom_decoder.c
@@ -101,9 +101,7 @@
size_t data_sz, void *user_priv) {
aom_codec_err_t res;
- /* Sanity checks */
- /* NULL data ptr allowed if data_sz is 0 too */
- if (!ctx || (!data && data_sz) || (data && !data_sz))
+ if (!ctx)
res = AOM_CODEC_INVALID_PARAM;
else if (!ctx->iface || !ctx->priv)
res = AOM_CODEC_ERROR;
diff --git a/av1/av1_dx_iface.c b/av1/av1_dx_iface.c
index 58e530f..b08531f 100644
--- a/av1/av1_dx_iface.c
+++ b/av1/av1_dx_iface.c
@@ -582,12 +582,11 @@
static aom_codec_err_t decoder_decode(aom_codec_alg_priv_t *ctx,
const uint8_t *data, size_t data_sz,
void *user_priv) {
- const uint8_t *data_start = data;
- const uint8_t *data_end = data + data_sz;
aom_codec_err_t res = AOM_CODEC_OK;
- // Release any pending output frames from the previous decoder call.
- // We need to do this even if the decoder is being flushed
+ // Release any pending output frames from the previous decoder_decode call.
+ // We need to do this even if the decoder is being flushed or the input
+ // arguments are invalid.
if (ctx->frame_workers) {
BufferPool *const pool = ctx->buffer_pool;
RefCntBuffer *const frame_bufs = pool->frame_bufs;
@@ -605,10 +604,13 @@
unlock_buffer_pool(ctx->buffer_pool);
}
+ /* Sanity checks */
+ /* NULL data ptr allowed if data_sz is 0 too */
if (data == NULL && data_sz == 0) {
ctx->flushed = 1;
return AOM_CODEC_OK;
}
+ if (data == NULL || data_sz == 0) return AOM_CODEC_INVALID_PARAM;
// Reset flushed when receiving a valid frame.
ctx->flushed = 0;
@@ -619,6 +621,9 @@
if (res != AOM_CODEC_OK) return res;
}
+ const uint8_t *data_start = data;
+ const uint8_t *data_end = data + data_sz;
+
if (ctx->is_annexb) {
// read the size of this temporal unit
size_t length_of_size;