ref: f0c57a3f74ab96d97516679911f2de51f0770522
parent: 2eba086685d3ccd8959d22b0959c698774769513
parent: 45cf384738ad261de7d00769c19b9b2842af06a7
author: Jerome Jiang <[email protected]>
date: Mon Jul 30 19:27:59 EDT 2018
Merge "vp8: Fix memory address overflow in decoder."
--- a/vp8/decoder/threading.c
+++ b/vp8/decoder/threading.c
@@ -400,15 +400,24 @@
xd->dst.u_buffer = dst_buffer[1] + recon_uvoffset;
xd->dst.v_buffer = dst_buffer[2] + recon_uvoffset;
- xd->pre.y_buffer =
- ref_buffer[xd->mode_info_context->mbmi.ref_frame][0] + recon_yoffset;
- xd->pre.u_buffer =
- ref_buffer[xd->mode_info_context->mbmi.ref_frame][1] + recon_uvoffset;
- xd->pre.v_buffer =
- ref_buffer[xd->mode_info_context->mbmi.ref_frame][2] + recon_uvoffset;
+ if (!ref_fb_corrupted[xd->mode_info_context->mbmi.ref_frame]) {
+ xd->pre.y_buffer =
+ ref_buffer[xd->mode_info_context->mbmi.ref_frame][0] +
+ recon_yoffset;
+ xd->pre.u_buffer =
+ ref_buffer[xd->mode_info_context->mbmi.ref_frame][1] +
+ recon_uvoffset;
+ xd->pre.v_buffer =
+ ref_buffer[xd->mode_info_context->mbmi.ref_frame][2] +
+ recon_uvoffset;
+ }
/* propagate errors from reference frames */
xd->corrupted |= ref_fb_corrupted[xd->mode_info_context->mbmi.ref_frame];
+
+ if (xd->corrupted)
+ vpx_internal_error(&pc->error, VPX_CODEC_CORRUPT_FRAME,
+ "Corrupted reference frame buffer");
mt_decode_macroblock(pbi, xd, 0);