ref: 75b6cfe1c50e749a0edb5460a491ca5ac947aff5
parent: 7acd0a59caaa2ded8e0c2a219bac926316e2b812
author: Yaowu Xu <[email protected]>
date: Wed May 25 05:28:36 EDT 2016
Prevent read to invalid RefBuffer This commit adds check to validate RefBuffer before reading into the data structure, to prevent invalid read. BUG=https://bugs.chromium.org/p/chromium/issues/detail?id=614701 Change-Id: Ie111e95bd18e88fa19d8b25e097cdf52b7139cb6
--- a/vp9/decoder/vp9_decodeframe.c
+++ b/vp9/decoder/vp9_decodeframe.c
@@ -1339,9 +1339,10 @@
// has valid dimensions.
for (i = 0; i < REFS_PER_FRAME; ++i) {RefBuffer *const ref_frame = &cm->frame_refs[i];
- has_valid_ref_frame |= valid_ref_frame_size(ref_frame->buf->y_crop_width,
- ref_frame->buf->y_crop_height,
- width, height);
+ has_valid_ref_frame |= (ref_frame->idx != INVALID_IDX &&
+ valid_ref_frame_size(ref_frame->buf->y_crop_width,
+ ref_frame->buf->y_crop_height,
+ width, height));
}
if (!has_valid_ref_frame)
vpx_internal_error(&cm->error, VPX_CODEC_CORRUPT_FRAME,
@@ -1348,13 +1349,13 @@
"Referenced frame has invalid size");
for (i = 0; i < REFS_PER_FRAME; ++i) {RefBuffer *const ref_frame = &cm->frame_refs[i];
- if (!valid_ref_frame_img_fmt(
- ref_frame->buf->bit_depth,
- ref_frame->buf->subsampling_x,
- ref_frame->buf->subsampling_y,
- cm->bit_depth,
- cm->subsampling_x,
- cm->subsampling_y))
+ if (ref_frame->idx == INVALID_IDX ||
+ !valid_ref_frame_img_fmt(ref_frame->buf->bit_depth,
+ ref_frame->buf->subsampling_x,
+ ref_frame->buf->subsampling_y,
+ cm->bit_depth,
+ cm->subsampling_x,
+ cm->subsampling_y))
vpx_internal_error(&cm->error, VPX_CODEC_CORRUPT_FRAME,
"Referenced frame has incompatible color format");
}