Decoder accesses deleted SPS decoding Multilayer stream

[nikolai.shostak]

When decoder flushes reconstructed frame to a file in xFlushOutput() it uses chroma format from SPS pointer which may be deleted

            const SPS* sps = pcPic->cs->sps; // <- may be dangling
            ChromaFormat chromaFormatIDC = sps->getChromaFormatIdc();

Pre-condictions:

• 2 layers
• 2 OLSs, both layers are output layers for second OLS
• targetOlsIdx = 1
• both layers are All Intra (all pictures are IDR)
• each layer refers to it's own SPS (say SPS0 and SPS1)
• SPSs with the same IDs are signalled with every picture
• SPSs content changes (legit since it is a new CVS)
• dpb_max_dec_pic_buffering_minus1 > 1
• dpb_max_num_reorder_pics > 1

What happens:

AU0:

• SPS0 for layer0 is activated
• PU0 for layer0 is decoded
• but not outputted via xWriteOutput() because of dpb_max_dec_pic_buffering_minus1 > 1 and dpb_max_num_reorder_pics > 1
• SPS1 for layer1 is activated, SPS0 is deactivated but not deleted yet
• PU0 for layer1 is decoded
• but again not outputted via xWriteOutput()

AU1:

• SPS0 for layer0 is found and it is different from the old one
• old SPS0 is deleted (since it is not among active SPSs and therefore not swapped into m_lastActiveParameterSet)
• new SPS0 is activated
• since PU1 is IDR, xFlushOutput() is called
• in xFlushOutput(): pcPic->cs->sps which refers to deleted SPS0 is accessed

This doesn't happend with single-layer All Intra because life-time of deleted SPS is extended by swap with m_lastActiveParameterSet. SPS lives long enough to safely flush picture to a file

Ultimate fix is to use std::shared_ptr for SPS and PPS in CodingStructure instead of raw pointers.

Also possible fix could be to save chromaFormatIDC inside Picture object and use it in xFlushOutput().

Problem is that it is not enough when option "--UpscaledOutput" is used. In this case decoder needs some other parameters from potentially dangling SPS and PPS.

[nikolai.shostak]

Closed as duplicate of #1554.