vp9: fix m/t loop filter invalid free store the number of allocated rows in VP9LfSync, the calculated values can not be relied on when dealing with corrupt material. Change-Id: I13b8bcec9738c299a71df726772ab7ac05511e5b
diff --git a/test/invalid_file_test.cc b/test/invalid_file_test.cc index 8b18df6..cf86cf5 100644 --- a/test/invalid_file_test.cc +++ b/test/invalid_file_test.cc
@@ -147,6 +147,7 @@ {4, "invalid-" "vp90-2-08-tile_1x2_frame_parallel.webm.ivf.s47039_r01-05_b6-.ivf"}, {2, "invalid-vp90-2-09-aq2.webm.ivf.s3984_r01-05_b6-.ivf"}, + {4, "invalid-vp90-2-09-subpixel-00.ivf.s19552_r01-05_b6-.ivf"}, }; INSTANTIATE_TEST_CASE_P(
diff --git a/test/test-data.sha1 b/test/test-data.sha1 index 7956e50..d2bc5a8 100644 --- a/test/test-data.sha1 +++ b/test/test-data.sha1
@@ -685,3 +685,5 @@ 0a3884edb3fd8f9d9b500223e650f7de257b67d8 invalid-vp90-2-08-tile_1x2_frame_parallel.webm.ivf.s47039_r01-05_b6-.ivf.res fac89b5735be8a86b0dc05159f996a5c3208ae32 invalid-vp90-2-09-aq2.webm.ivf.s3984_r01-05_b6-.ivf 22e0ee8babe574722baf4ef6d7ff5d7cf80d386c invalid-vp90-2-09-aq2.webm.ivf.s3984_r01-05_b6-.ivf.res +4506dfdcdf8ee4250924b075a0dcf1f070f72e5a invalid-vp90-2-09-subpixel-00.ivf.s19552_r01-05_b6-.ivf +d3ea592c8d7b05d14c7ed48befc0a3aaf7709b7a invalid-vp90-2-09-subpixel-00.ivf.s19552_r01-05_b6-.ivf.res
diff --git a/test/test.mk b/test/test.mk index fe5a1cf..e592a70 100644 --- a/test/test.mk +++ b/test/test.mk
@@ -807,6 +807,8 @@ LIBVPX_TEST_DATA-$(CONFIG_VP9_DECODER) += invalid-vp90-2-08-tile_1x4_frame_parallel_all_key.webm.res LIBVPX_TEST_DATA-$(CONFIG_VP9_DECODER) += invalid-vp90-2-09-aq2.webm.ivf.s3984_r01-05_b6-.ivf LIBVPX_TEST_DATA-$(CONFIG_VP9_DECODER) += invalid-vp90-2-09-aq2.webm.ivf.s3984_r01-05_b6-.ivf.res +LIBVPX_TEST_DATA-$(CONFIG_VP9_DECODER) += invalid-vp90-2-09-subpixel-00.ivf.s19552_r01-05_b6-.ivf +LIBVPX_TEST_DATA-$(CONFIG_VP9_DECODER) += invalid-vp90-2-09-subpixel-00.ivf.s19552_r01-05_b6-.ivf.res ifeq ($(CONFIG_DECODE_PERF_TESTS),yes) # BBB VP9 streams
diff --git a/vp9/decoder/vp9_decoder.c b/vp9/decoder/vp9_decoder.c index e79dcf3..ae0da79 100644 --- a/vp9/decoder/vp9_decoder.c +++ b/vp9/decoder/vp9_decoder.c
@@ -96,10 +96,8 @@ } vpx_free(pbi->tile_workers); - if (pbi->num_tile_workers) { - const int sb_rows = - mi_cols_aligned_to_sb(cm->mi_rows) >> MI_BLOCK_SIZE_LOG2; - vp9_loop_filter_dealloc(&pbi->lf_row_sync, sb_rows); + if (pbi->num_tile_workers > 0) { + vp9_loop_filter_dealloc(&pbi->lf_row_sync); } vp9_remove_common(cm);
diff --git a/vp9/decoder/vp9_dthread.c b/vp9/decoder/vp9_dthread.c index cf5cc8c..b82ea6a 100644 --- a/vp9/decoder/vp9_dthread.c +++ b/vp9/decoder/vp9_dthread.c
@@ -148,16 +148,7 @@ // Allocate memory used in thread synchronization. // This always needs to be done even if frame_filter_level is 0. if (!lf_sync->sync_range || cm->last_height != cm->height) { - if (cm->last_height != cm->height) { - const int aligned_last_height = - ALIGN_POWER_OF_TWO(cm->last_height, MI_SIZE_LOG2); - const int last_sb_rows = - mi_cols_aligned_to_sb(aligned_last_height >> MI_SIZE_LOG2) >> - MI_BLOCK_SIZE_LOG2; - - vp9_loop_filter_dealloc(lf_sync, last_sb_rows); - } - + vp9_loop_filter_dealloc(lf_sync); vp9_loop_filter_alloc(cm, lf_sync, sb_rows, cm->width); } @@ -227,19 +218,22 @@ // Allocate memory for lf row synchronization void vp9_loop_filter_alloc(VP9_COMMON *cm, VP9LfSync *lf_sync, int rows, int width) { + lf_sync->rows = rows; #if CONFIG_MULTITHREAD - int i; + { + int i; - CHECK_MEM_ERROR(cm, lf_sync->mutex_, - vpx_malloc(sizeof(*lf_sync->mutex_) * rows)); - for (i = 0; i < rows; ++i) { - pthread_mutex_init(&lf_sync->mutex_[i], NULL); - } + CHECK_MEM_ERROR(cm, lf_sync->mutex_, + vpx_malloc(sizeof(*lf_sync->mutex_) * rows)); + for (i = 0; i < rows; ++i) { + pthread_mutex_init(&lf_sync->mutex_[i], NULL); + } - CHECK_MEM_ERROR(cm, lf_sync->cond_, - vpx_malloc(sizeof(*lf_sync->cond_) * rows)); - for (i = 0; i < rows; ++i) { - pthread_cond_init(&lf_sync->cond_[i], NULL); + CHECK_MEM_ERROR(cm, lf_sync->cond_, + vpx_malloc(sizeof(*lf_sync->cond_) * rows)); + for (i = 0; i < rows; ++i) { + pthread_cond_init(&lf_sync->cond_[i], NULL); + } } #endif // CONFIG_MULTITHREAD @@ -251,23 +245,19 @@ } // Deallocate lf synchronization related mutex and data -void vp9_loop_filter_dealloc(VP9LfSync *lf_sync, int rows) { -#if !CONFIG_MULTITHREAD - (void)rows; -#endif // !CONFIG_MULTITHREAD - +void vp9_loop_filter_dealloc(VP9LfSync *lf_sync) { if (lf_sync != NULL) { #if CONFIG_MULTITHREAD int i; if (lf_sync->mutex_ != NULL) { - for (i = 0; i < rows; ++i) { + for (i = 0; i < lf_sync->rows; ++i) { pthread_mutex_destroy(&lf_sync->mutex_[i]); } vpx_free(lf_sync->mutex_); } if (lf_sync->cond_ != NULL) { - for (i = 0; i < rows; ++i) { + for (i = 0; i < lf_sync->rows; ++i) { pthread_cond_destroy(&lf_sync->cond_[i]); } vpx_free(lf_sync->cond_);
diff --git a/vp9/decoder/vp9_dthread.h b/vp9/decoder/vp9_dthread.h index 423bd88..8b02ef7 100644 --- a/vp9/decoder/vp9_dthread.h +++ b/vp9/decoder/vp9_dthread.h
@@ -38,6 +38,7 @@ // The optimal sync_range for different resolution and platform should be // determined by testing. Currently, it is chosen to be a power-of-2 number. int sync_range; + int rows; } VP9LfSync; // Allocate memory for loopfilter row synchronization. @@ -45,7 +46,7 @@ int rows, int width); // Deallocate loopfilter synchronization related mutex and data. -void vp9_loop_filter_dealloc(VP9LfSync *lf_sync, int rows); +void vp9_loop_filter_dealloc(VP9LfSync *lf_sync); // Multi-threaded loopfilter that uses the tile threads. void vp9_loop_filter_frame_mt(YV12_BUFFER_CONFIG *frame,