From 69ba6bd142d77aea750902d686609ae1b7b33a9e Mon Sep 17 00:00:00 2001
From: Henrik Lundin <hlundin@google.com>
Date: Wed, 1 Jun 2011 21:41:12 +0200
Subject: [PATCH] Bugfix in vp8dx_set_reference

The fb_idx_ref_cnt book-keeping was in error. Added an assert to
prevent future errors in the reference count vector. Also fixed a
pointer syntax error.

Change-Id: I563081090c78702d82199e407df4ecc93da6f349
---
 vp8/decoder/onyxd_if.c | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/vp8/decoder/onyxd_if.c b/vp8/decoder/onyxd_if.c
index d10b2cb346..23a3c7d065 100644
--- a/vp8/decoder/onyxd_if.c
+++ b/vp8/decoder/onyxd_if.c
@@ -24,6 +24,7 @@
 #include "vp8/common/threading.h"
 #include "decoderthreading.h"
 #include <stdio.h>
+#include <assert.h>
 
 #include "vp8/common/quant_common.h"
 #include "vpx_scale/vpxscale.h"
@@ -161,16 +162,19 @@ int vp8dx_set_reference(VP8D_PTR ptr, VP8_REFFRAME ref_frame_flag, YV12_BUFFER_C
     int free_fb;
 
     if (ref_frame_flag == VP8_LAST_FLAG)
-        *ref_fb_ptr = cm->lst_fb_idx;
+        ref_fb_ptr = &cm->lst_fb_idx;
     else if (ref_frame_flag == VP8_GOLD_FLAG)
-        *ref_fb_ptr = cm->gld_fb_idx;
+        ref_fb_ptr = &cm->gld_fb_idx;
     else if (ref_frame_flag == VP8_ALT_FLAG)
-        *ref_fb_ptr = cm->alt_fb_idx;
+        ref_fb_ptr = &cm->alt_fb_idx;
     else
         return -1;
 
     /* Find an empty frame buffer. */
     free_fb = get_free_fb(cm);
+    /* Decrease fb_idx_ref_cnt since it will be increased again in
+     * ref_cnt_fb() below. */
+    cm->fb_idx_ref_cnt[free_fb]--;
 
     /* Manage the reference counters and copy image. */
     ref_cnt_fb (cm->fb_idx_ref_cnt, ref_fb_ptr, free_fb);
@@ -192,6 +196,7 @@ static int get_free_fb (VP8_COMMON *cm)
         if (cm->fb_idx_ref_cnt[i] == 0)
             break;
 
+    assert(i < NUM_YV12_BUFFERS);
     cm->fb_idx_ref_cnt[i] = 1;
     return i;
 }
-- 
GitLab