id summary reporter owner description type status priority milestone component version resolution keywords cc 1099 Repeating the active SPS leaves a dangling pointer in previously decoded pictures jackh "I have a stream which has an SPS_NUT NAL in the middle of a CVS which repeats the active SPS. I think this is legal by the spec; section 7.4.2.4.2 says: Any SPS NAL unit containing the value of sps_seq_parameter_set_id for the active SPS RBSP for a CVS shall have the same content as that of the active SPS RBSP for the CVS, unless it follows the last access unit of the CVS and precedes the first VCL NAL unit and the first SEI NAL unit containing an active parameter sets SEI message (when present) of another CVS. When the reference decoder is parsing this stream, it calls ParameterSetManagerDecoder::storePrefetchedSPS() (TDecSlice.cpp). This causes the previous copy of the SPS to be deleted and the newly allocated pointer to be stored. Any references held by stored slices to the previous pointer become dangling pointers, and can subsequently crash the reference picture set code. I would imagine that the same problem will be seen for PPSs and VPSs I can see several possible solutions to this problem: 1) Just store the parameter set ID in the slice rather than a pointer, and look up the parameter set in the ParameterSetManager every time it's needed, so that the new pointer will be picked up. This might be a problem for PPSs, as they could legitimately have been replaced since the slice was decoded, so the slice might end up referring to the wrong PPS. 2) Check if the parameter sets are equal to each other before storing them. If so, don't change the existing pointer. This will have the same problem as above for PPSs, and incurs processing time for checking equality of all parameters (although this would enable the decoder to detect the non-conformant case when the active SPS or VPS is being replaced by a different SPS or VPS) 3) Use std::shared_ptr to refer to parameter sets. This way they will be deleted once no further references are held to them, and slices will always hold the parameter sets they originally referred to. " defect closed minor HM HM-10.0 duplicate fbossen ksuehring davidf jct-vc@…