shithub: libvpx

Download patch

ref: f0c57a3f74ab96d97516679911f2de51f0770522
parent: 2eba086685d3ccd8959d22b0959c698774769513
parent: 45cf384738ad261de7d00769c19b9b2842af06a7
author: Jerome Jiang <[email protected]>
date: Mon Jul 30 19:27:59 EDT 2018

Merge "vp8: Fix memory address overflow in decoder."

--- a/vp8/decoder/threading.c
+++ b/vp8/decoder/threading.c
@@ -400,15 +400,24 @@
       xd->dst.u_buffer = dst_buffer[1] + recon_uvoffset;
       xd->dst.v_buffer = dst_buffer[2] + recon_uvoffset;
 
-      xd->pre.y_buffer =
-          ref_buffer[xd->mode_info_context->mbmi.ref_frame][0] + recon_yoffset;
-      xd->pre.u_buffer =
-          ref_buffer[xd->mode_info_context->mbmi.ref_frame][1] + recon_uvoffset;
-      xd->pre.v_buffer =
-          ref_buffer[xd->mode_info_context->mbmi.ref_frame][2] + recon_uvoffset;
+      if (!ref_fb_corrupted[xd->mode_info_context->mbmi.ref_frame]) {
+        xd->pre.y_buffer =
+            ref_buffer[xd->mode_info_context->mbmi.ref_frame][0] +
+            recon_yoffset;
+        xd->pre.u_buffer =
+            ref_buffer[xd->mode_info_context->mbmi.ref_frame][1] +
+            recon_uvoffset;
+        xd->pre.v_buffer =
+            ref_buffer[xd->mode_info_context->mbmi.ref_frame][2] +
+            recon_uvoffset;
+      }
 
       /* propagate errors from reference frames */
       xd->corrupted |= ref_fb_corrupted[xd->mode_info_context->mbmi.ref_frame];
+
+      if (xd->corrupted)
+        vpx_internal_error(&pc->error, VPX_CODEC_CORRUPT_FRAME,
+                           "Corrupted reference frame buffer");
 
       mt_decode_macroblock(pbi, xd, 0);