shithub: libvpx

Download patch

ref: 1bd69ac57f09c1bafc2629171f53c86bfdb469e2
parent: 376c5386a4b9a14d6fc66865e601057aac3e3fb7
author: Dmitry Kovalev <dkovalev@google.com>
date: Wed Jan 29 17:02:24 EST 2014 

Fixing out of bounds access in frame_refs[] array.

Change-Id: I08f45573e0b2195c09fb6aecacb4c57431a711ea


--- a/vp9/encoder/vp9_onyx_int.h
+++ b/vp9/encoder/vp9_onyx_int.h
@@ -756,8 +756,10 @@
 
 static void set_ref_ptrs(VP9_COMMON *cm, MACROBLOCKD *xd,
                          MV_REFERENCE_FRAME ref0, MV_REFERENCE_FRAME ref1) {
-  xd->block_refs[0] = &cm->frame_refs[ref0 - LAST_FRAME];
-  xd->block_refs[1] = &cm->frame_refs[ref1 - LAST_FRAME];
+  xd->block_refs[0] = &cm->frame_refs[ref0 >= LAST_FRAME ? ref0 - LAST_FRAME
+                                                         : 0];
+  xd->block_refs[1] = &cm->frame_refs[ref1 >= LAST_FRAME ? ref1 - LAST_FRAME
+                                                         : 0];
 }
 
 #ifdef __cplusplus