shithub: libvpx

Download patch

ref: 363dc6ceda3e2d2e11083eb29161b56b9b11057e
parent: 7dbd8a5d2b77612483ec6ed8d5fe616025c43844
author: Ronald S. Bultje <[email protected]>
date: Fri Jun 7 07:40:42 EDT 2013 

Don't crash if motion vector ref points to out-of-bounds area.

This can only happen if partition is partly out-of-frame, in which
case the referenced mv is either out-of-frame also (and thus has the
same value as an already-read one), or it is actually uninitialized,
in which case we don't want to use it.

Change-Id: Icf39fa4d987c7abcbebb9bbdcdd6311e8fb9d3c9


--- a/vp9/common/vp9_mvref_common.c
+++ b/vp9/common/vp9_mvref_common.c
@@ -161,42 +161,10 @@
   vpx_memset(mv_ref_list, 0, sizeof(int_mv) * MAX_MV_REF_CANDIDATES);
   vpx_memset(candidate_scores, 0, sizeof(candidate_scores));
 
-  if (xd->mb_to_right_edge < 0 || xd->mb_to_bottom_edge < 0) {
-    int pixels_wide = 4 * b_width_log2(mbmi->sb_type);
-    int pixels_high = 4 * b_height_log2(mbmi->sb_type);
-    int pixels_square = 0;
-
-    if (xd->mb_to_right_edge < 0)
-      pixels_wide += (xd->mb_to_right_edge >> 3);
-
-    if (xd->mb_to_bottom_edge < 0)
-      pixels_high += (xd->mb_to_bottom_edge >> 3);
-
-    if ( pixels_wide < pixels_high )
-      pixels_square = pixels_wide;
-    else
-      pixels_square = pixels_high;
-
-    if (pixels_square == 64) {
-      mv_ref_search = mv_ref_blocks[BLOCK_SIZE_SB64X64];
-    } else if (pixels_square == 32) {
-      mv_ref_search = mv_ref_blocks[BLOCK_SIZE_SB32X32];
-    } else if (pixels_square == 16) {
-      mv_ref_search = mv_ref_blocks[BLOCK_SIZE_MB16X16];
-    } else {
-      mv_ref_search = mv_ref_blocks[BLOCK_SIZE_SB8X8];
-      if (mbmi->sb_type < BLOCK_SIZE_SB8X8) {
-        x_idx = block_idx & 1;
-        y_idx = block_idx >> 1;
-      }
-    }
-  }
-  else {
   mv_ref_search = mv_ref_blocks[mbmi->sb_type];
-    if (mbmi->sb_type < BLOCK_SIZE_SB8X8) {
-      x_idx = block_idx & 1;
-      y_idx = block_idx >> 1;
-      }
+  if (mbmi->sb_type < BLOCK_SIZE_SB8X8) {
+    x_idx = block_idx & 1;
+    y_idx = block_idx >> 1;
   }
 
   // We first scan for candidate vectors that match the current reference frame
@@ -205,7 +173,8 @@
     const int mi_search_col = mi_col + mv_ref_search[i][0];
     if ((mi_search_col >= cm->cur_tile_mi_col_start) &&
         (mi_search_col < cm->cur_tile_mi_col_end) &&
-        ((mv_ref_search[i][1] << 6) >= xd->mb_to_top_edge)) {
+        ((mv_ref_search[i][1] << 6) >= xd->mb_to_top_edge) &&
+        ((-mv_ref_search[i][1] << 6) <= xd->mb_to_bottom_edge)) {
       int b;
 
       candidate_mi = here + mv_ref_search[i][0] +
@@ -240,7 +209,8 @@
 
     if ((mi_search_col >= cm->cur_tile_mi_col_start) &&
         (mi_search_col < cm->cur_tile_mi_col_end) &&
-        ((mv_ref_search[i][1] << 6) >= xd->mb_to_top_edge)) {
+        ((mv_ref_search[i][1] << 6) >= xd->mb_to_top_edge) &&
+        ((-mv_ref_search[i][1] << 6) <= xd->mb_to_bottom_edge)) {
       candidate_mi = here + mv_ref_search[i][0] +
                      (mv_ref_search[i][1] * xd->mode_info_stride);
 
@@ -270,7 +240,8 @@
 
     if ((mi_search_col >= cm->cur_tile_mi_col_start) &&
         (mi_search_col < cm->cur_tile_mi_col_end) &&
-        ((mv_ref_search[i][1] << 6) >= xd->mb_to_top_edge)) {
+        ((mv_ref_search[i][1] << 6) >= xd->mb_to_top_edge) &&
+        ((-mv_ref_search[i][1] << 6) <= xd->mb_to_bottom_edge)) {
       candidate_mi = here + mv_ref_search[i][0] +
                      (mv_ref_search[i][1] * xd->mode_info_stride);