ref: 0e408ea67cd142a3f27189d7e00cbabea96a28d6
parent: 890c8a15d11be3141dff16c2c577622b59abbb66
author: Jerome Jiang <jianj@google.com>
date: Fri Dec 14 09:39:58 EST 2018
vp8: Fix potential use-after-free in mfqe. Similar issue to 842265. The pointer in vp8 postproc refers to show_frame_mi which is only updated on show frame. However, when there is a no-show frame which also changes the size (thus new frame buffers allocated), show_frame_mi is not updated with new frame buffer memory. Change the pointer in postproc to mi which is always updated. BUG=913246 Change-Id: I5159ba7134a06db472c29a1d84b8d39bb60c7254
--- a/vp8/common/mfqe.c
+++ b/vp8/common/mfqe.c
@@ -235,7 +235,7 @@
FRAME_TYPE frame_type = cm->frame_type;
/* Point at base of Mb MODE_INFO list has motion vectors etc */
- const MODE_INFO *mode_info_context = cm->show_frame_mi;
+ const MODE_INFO *mode_info_context = cm->mi;
int mb_row;
int mb_col;
int totmap, map[4];