[FFmpeg-cvslog] lavc/vvc: Set fc->ref to NULL at top of decode_nal_units

[Frank Plowman]

ffmpeg | branch: master | Frank Plowman <post at frankplowman.com> | Sat Feb  8 21:42:56 2025 +0000| [e417f939da2d04abfe6ad1f93aa47be334b66771] | committer: Nuo Mi

lavc/vvc: Set fc->ref to NULL at top of decode_nal_units

In the fail: block of decode_nal_units, a check as to whether fc->ref is
nonzero is used.  Before this patch, fc->ref was set to NULL in
frame_context_setup.  The issue is that, by the time frame_context_setup
is called, falliable functions (namely slices_realloc and
ff_vvc_decode_frame_ps) have already been called.  Therefore, there
could arise a situation in which the fc->ref test of decode_nal_units'
fail: block is performed while fc->ref has an invalid value.  This seems
to be particularly prevalent in situations where the FrameContexts are
being reused.  The patch resolves the issue by moving the assignment of
fc->ref to NULL to the very top of decode_nal_units, before any falliable
functions are called.

Signed-off-by: Frank Plowman <post at frankplowman.com>

> http://git.videolan.org/gitweb.cgi/ffmpeg.git/?a=commit;h=e417f939da2d04abfe6ad1f93aa47be334b66771
---

 libavcodec/vvc/dec.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/libavcodec/vvc/dec.c b/libavcodec/vvc/dec.c
index 51dd60ae92..572e904301 100644
--- a/libavcodec/vvc/dec.c
+++ b/libavcodec/vvc/dec.c
@@ -671,8 +671,6 @@ static int frame_context_setup(VVCFrameContext *fc, VVCContext *s)
 {
     int ret;
 
-    fc->ref = NULL;
-
     // copy refs from the last frame
     if (s->nb_frames && s->nb_fcs > 1) {
         VVCFrameContext *prev = get_frame_context(s, fc, -1);
@@ -927,6 +925,7 @@ static int decode_nal_units(VVCContext *s, VVCFrameContext *fc, AVPacket *avpkt)
     int ret = 0;
     s->last_eos = s->eos;
     s->eos = 0;
+    fc->ref = NULL;
 
     ff_cbs_fragment_reset(frame);
     ret = ff_cbs_read_packet(s->cbc, frame, avpkt);